PatchSiren cyber security CVE debrief
CVE-2026-8407 Devolutions CVE debrief
A missing authorization vulnerability in Devolutions Server's Privileged Access Management (PAM) module allows authenticated users with a PAM license but no additional permissions to obtain sensitive authentication material. The flaw, published 2026-05-12 and last modified 2026-05-26, affects Devolutions Server 2026.1.6.0 through 2026.1.11.0 and versions 2025.3.16.0 and earlier. Attackers can extract OTP secret keys and recovery codes via crafted API requests to PAM endpoints, undermining multi-factor authentication protections. The CVSS 3.1 score of 4.3 (Medium) reflects network attack vector, low attack complexity, low privileges required, and no user interaction needed, with low confidentiality impact. The root cause is categorized as CWE-862 (Missing Authorization). Devolutions has released patched versions; organizations should prioritize updating to 2025.3.18.0 or later for the 2025.x branch, or 2026.1.12.0 or later for the 2026.x branch.
- Vendor
- Devolutions
- Product
- Devolutions Server
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-26
Who should care
Organizations using Devolutions Server for privileged access management, security teams managing MFA implementations, identity and access management administrators, and compliance officers responsible for authentication control validation
Technical summary
The vulnerability exists in the PAM module's API endpoints, which fail to properly validate that authenticated users possess the necessary permissions beyond a valid PAM license. This authorization gap permits retrieval of sensitive MFA credentials including OTP secret keys and recovery codes through crafted HTTP requests. The attack requires network access to the server and valid authentication credentials with PAM licensing, but no elevated privileges or user interaction. The confidentiality impact is limited to credential exposure without integrity or availability effects.
Defensive priority
medium
Recommended defensive actions
- Upgrade Devolutions Server to version 2025.3.18.0 or later (2025.x branch) or 2026.1.12.0 or later (2026.x branch)
- Review PAM module access logs for anomalous API requests from users with minimal permissions between 2026-05-12 and patching date
- Audit existing PAM-licensed user accounts to ensure least-privilege access alignment
- Rotate OTP secrets and recovery codes for affected accounts if compromise is suspected
- Monitor for unauthorized use of extracted credentials in downstream authentication systems
Evidence notes
Vulnerability description and affected version ranges derived from NVD CPE criteria and vendor advisory. CVSS vector and CWE classification sourced from NVD metadata. Timeline dates per CVE record published and modified timestamps.
Official resources
-
CVE-2026-8407 CVE record
CVE.org
-
CVE-2026-8407 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
2026-05-12