CVE-2026-9246

Summary

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request.

This issue affects :

  • Devolutions Server 2026.1.6.0 through 2026.1.16.0
  • Devolutions Server 2025.3.20.0 and earlier

Affected Software

VendorProductVersion RangeStatus
DevolutionsServer2026.1.6.0 <= 2026.1.16.0affected
DevolutionsServer0 <= 2025.3.20.0affected

Weaknesses

  • CWE-862: CWE-862 Missing authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References