CVE-2026-2590 Devolutions CVE debrief

Who should care

Administrators, security teams, and help desk or operations staff managing Devolutions Remote Desktop Manager deployments, especially shared Windows vault environments where password-saving restrictions are used to prevent credential storage.

Technical summary

The issue is an improper enforcement problem in the connection entry component: even when password saving is disabled, certain connection types can still persist credentials in vault entries. NVD lists affected Windows CPE coverage through version 2025.3.30.0 and assigns CWE-20 as the primary weakness, with CWE-295 also referenced. The practical risk is unintended credential retention that may be visible to other users with vault access.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade Devolutions Remote Desktop Manager to a version newer than 2025.3.30, following the vendor advisory in DEVO-2026-0005.
• Review vault entries created or edited while password saving was disabled to identify any credentials that may have been stored unexpectedly.
• Audit shared vault access and connection entry workflows for users who could have persisted sensitive credentials.
• Rotate or revoke any credentials that may have been exposed through unintended vault storage.
• Use the official NVD and vendor advisory links to confirm fixed-release guidance and validate your deployment scope.

Evidence notes

This debrief is based on the official CVE record, the NVD entry, and the linked Devolutions advisory. The supplied source data states the issue affects Devolutions Remote Desktop Manager 2025.3.30 and earlier on Windows, with an NVD CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and a published date of 2026-03-03, later modified on 2026-05-10. NVD references the vendor advisory DEVO-2026-0005 and maps the issue to CWE-20, with CWE-295 also listed.

Official resources