PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5146 Devolutions CVE debrief

## Summary Devolutions Server contains an improper access control vulnerability (CWE-862) in its notification management endpoints. An unauthenticated attacker can modify or delete arbitrary user notification records due to missing session validation. The vulnerability affects Devolutions Server 2026.1.6.0 through 2026.1.15.0 and all versions through 2025.3.19.0. ## Technical Details The vulnerability exists in the notification management endpoints where session validation is not properly enforced. This allows unauthenticated attackers to interact with user notification records without authentication. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates network-based attack vector with low attack complexity, requiring low privileges, with no user interaction needed. The confidentiality impact is low, with no integrity or availability impact. ## Affected Versions - Devolutions Server 2026.1.6.0 through 2026.1.15.0 - Devolutions Server 2025.3.19.0 and earlier ## Remediation Devolutions has released security advisory DEVO-2026-0012 addressing this issue. Organizations should upgrade to: - Devolutions Server 2025.3.20.0 or later (for 2025.x branch) - Devolutions Server 2026.1.16.0 or later (for 2026.x branch) ## Timeline - **2026-05-12**: CVE published and initial disclosure - **2026-05-26**: CVE record modified

Vendor
Devolutions
Product
Devolutions Server
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-26
Advisory published
2026-05-12
Advisory updated
2026-05-26

Who should care

Organizations using Devolutions Server for privileged access management should prioritize patching to prevent unauthorized manipulation of user notification data, which could be used to suppress security alerts or disrupt audit trails.

Technical summary

Missing session validation in Devolutions Server notification management endpoints enables unauthenticated attackers to modify or delete arbitrary user notification records. Affects versions 2026.1.6.0-2026.1.15.0 and ≤2025.3.19.0. Patched in 2025.3.20.0 and 2026.1.16.0.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Devolutions Server to version 2025.3.20.0 or later (2025.x branch) or 2026.1.16.0 or later (2026.x branch)
  • Review notification management endpoint access logs for unauthorized activity prior to patching
  • Implement network segmentation to limit exposure of Devolutions Server management interfaces
  • Monitor for anomalous notification record modifications in affected systems

Evidence notes

Vulnerability confirmed via NVD with vendor advisory from Devolutions. CVSS 3.1 score of 4.3 (MEDIUM). CPE configurations indicate patched versions 2025.3.20.0 and 2026.1.16.0.

Official resources

2026-05-12