PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12117 Devolutions CVE debrief

CVE-2026-12117 is an improper access control vulnerability in the social login connection endpoint of Devolutions Server 2026.2.5. An authenticated vault member can exploit this vulnerability to enumerate social login entry metadata to which they are not authorized via a crafted API request. The Common Weakness Enumeration (CWE) associated with this vulnerability is CWE-200. The CVE was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-12117) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-12117).

Vendor
Devolutions
Product
Devolutions Server
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-16
Original CVE updated
2026-06-17
Advisory published
2026-06-16
Advisory updated
2026-06-17

Who should care

Users of Devolutions Server 2026.2.5 should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability exists in the social login connection endpoint of Devolutions Server 2026.2.5. An authenticated vault member can exploit this vulnerability by sending a crafted API request to enumerate social login entry metadata to which they are not authorized.

Defensive priority

High

Recommended defensive actions

  • Apply the necessary patches or updates provided by Devolutions to fix the improper access control vulnerability.
  • Restrict access to the social login connection endpoint to authorized users only.
  • Monitor the Devolutions Server for any suspicious activity related to social login entry metadata enumeration.

Evidence notes

The CVE-2026-12117 vulnerability was reported by [email protected] and is associated with CWE-200. For more information, refer to [ref-4](https://devolutions.net/security/advisories/DEVO-2026-0017/).

Official resources

CVE-2026-12117 was published on 2026-06-16T20:16:27.577Z and last modified on 2026-06-16T20:41:35.520Z.