CVE-2026-6706

Summary

Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request.

This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.

Affected Software

VendorProductVersion RangeStatus
DevolutionsServer2026.1.6.0 <= 2026.1.14.0affected
DevolutionsServer0 <= 2025.3.18.0affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References