PatchSiren cyber security CVE debrief
CVE-2026-12105 Devolutions CVE debrief
CVE-2026-12105 is an improper access control vulnerability in Devolutions Server versions 2026.2.5 and 2026.1.21. An authenticated user can exploit this vulnerability to access attachments by duplicating a folder and inheriting permissions.
- Vendor
- Devolutions
- Product
- Devolutions Server
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
Users of Devolutions Server versions 2026.2.5 and 2026.1.21 should apply patches or mitigations to prevent unauthorized access to attachments.
Technical summary
The vulnerability allows an authenticated user to access attachments via folder duplication with inherited permissions in Devolutions Server 2026.2.5 and 2026.1.21.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by Devolutions to fix the vulnerability.
- Restrict access to sensitive attachments and folders.
- Monitor server logs for suspicious activity.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4].
Official resources
-
CVE-2026-12105 CVE record
CVE.org
-
CVE-2026-12105 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-12105 was published on 2026-06-16T20:16:27.483Z and modified on 2026-06-16T20:41:35.520Z.