CVE-2026-5171

Summary

Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request.

This issue affects :

  • Devolutions Server 2026.1.6.0 through 2026.1.16.0
  • Devolutions Server 2025.3.20.0 and earlier

Affected Software

VendorProductVersion RangeStatus
DevolutionsServer2026.1.6.0 <= 2026.1.16.0affected
DevolutionsServer0 <= 2025.3.20.0affected

Weaknesses

  • CWE-284: CWE-284 Improper access control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References