These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-12117 is an improper access control vulnerability in the social login connection endpoint of Devolutions Server 2026.2.5. An authenticated vault member can exploit this vulnerability to enumerate social login entry metadata to which they are not authorized via a crafted API request. The Common Weakness Enumeration (CWE) associated with this vulnerability is CWE-200. The CVE was published on [cveP [truncated]
CVE-2026-12105 is an improper access control vulnerability in Devolutions Server versions 2026.2.5 and 2026.1.21. An authenticated user can exploit this vulnerability to access attachments by duplicating a folder and inheriting permissions.
CVE-2026-11890 is an Improper access control vulnerability affecting Devolutions Server versions 2026.2.5 and 2026.1.21. The vulnerability allows an authenticated user to retrieve account discovery scan results. The CVE was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-11890) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-11890).
CVE-2026-12162 is an improper host validation vulnerability in the social login autofill feature of Devolutions Remote Desktop Manager 2026.2.8. This vulnerability allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain.
CVE-2026-12161 is an improper input validation vulnerability in Devolutions Remote Desktop Manager 2026.2.7. An authenticated user with permission to create or modify a shared SSH entry can execute arbitrary commands on a remote SSH host using stored elevation credentials via a crafted alternate username and user interaction with the Elevate Shell action.
CVE-2026-8694 is a MEDIUM-severity vulnerability (CVSS Score: 5.3) affecting Devolutions PowerShell Universal 2026.1.7 and earlier. The vulnerability is caused by improper access control, allowing an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.
CVE-2026-10787 is a medium-severity vulnerability in Devolutions Server, allowing an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects Devolutions Server 2026.2.4.0 and 2026.1.20.0 and earlier.
CVE-2026-10786 is a MEDIUM-severity vulnerability in Devolutions Server, with a CVSS score of 6.5. The issue, described as improper access control in the ticketing integration settings, allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request.
CVE-2026-10544 is a medium-severity vulnerability in Devolutions Server, which allows an authenticated user with write access to a vault to execute arbitrary commands on systems managed by the affected PAM provider. The issue arises from improper neutralization of special elements in built-in PAM provider password rotation templates.
## Summary Devolutions Server contains an improper access control vulnerability (CWE-862) in its notification management endpoints. An unauthenticated attacker can modify or delete arbitrary user notification records due to missing session validation. The vulnerability affects Devolutions Server 2026.1.6.0 through 2026.1.15.0 and all versions through 2025.3.19.0. ## Technical Details The vulnerability exi [truncated]
A missing authorization vulnerability in Devolutions Server's Privileged Access Management (PAM) module allows authenticated users with a PAM license but no additional permissions to obtain sensitive authentication material. The flaw, published 2026-05-12 and last modified 2026-05-26, affects Devolutions Server 2026.1.6.0 through 2026.1.11.0 and versions 2025.3.16.0 and earlier. Attackers can extract OTP [truncated]
CVE-2026-2590 is a critical vulnerability in Devolutions Remote Desktop Manager 2025.3.30 and earlier where the "Disable password saving in vaults" setting is not properly enforced in the connection entry component. As described by the vendor and reflected by NVD, this can allow credentials to be stored in vault entries anyway, potentially exposing sensitive information to other users.
