Improper Access Control Vulnerabilities in Devolutions Server
Severity: Medium (Score: 45.9)
Sources: cve.org, Nvd.Nist, devolutions.net
Published: · Updated:
Keywords: improper, access, control, devolutions, server, earlier, allows
Summary
Devolutions Server versions 2026.1.19 and earlier have multiple improper access control vulnerabilities. These flaws allow authenticated users to modify asset information and delete network discovery scan configurations without proper permissions. Specifically, CVE-2026-9522 highlights the risk of unauthorized deletion of configurations by non-admin users. The vulnerabilities affect users with entry edit privileges and can lead to unauthorized access to sensitive data. Users are advised to upgrade to Devolutions Server versions 2026.2.4 or 2026.1.20 to mitigate these risks. The vulnerabilities have been rated with varying CVSS scores, indicating a medium to low severity. As of the publication date, no active exploitation has been reported. Key Points: • Devolutions Server 2026.1.19 and earlier are affected by multiple access control vulnerabilities. • CVE-2026-9522 allows non-admin users to delete network discovery scan configurations. • Upgrading to versions 2026.2.4 or 2026.1.20 is recommended to mitigate these vulnerabilities.
Detailed Analysis
**Impact** Organizations using Devolutions Server versions 2026.1.19 and earlier are affected, particularly those relying on PAM account discovery and asset management features. Authenticated users with limited privileges can modify or delete critical configurations, potentially disrupting network discovery and asset management processes. This may lead to unauthorized data manipulation and operational interruptions, affecting sectors dependent on secure privileged access management. No specific geographic or sector data is provided. **Technical Details** The vulnerabilities involve improper access control in multiple components of Devolutions Server 2026.1.19 and earlier, including permission validation, PAM account discovery, and the Synchronizer feature. Exploitation requires authenticated access with varying privilege levels, allowing modification of asset information, deletion of network discovery scan configurations (CVE-2026-9522), and use of sealed credentials without alerts. The attack vector is network-based with no user interaction required. No malware or IOCs are mentioned. **Recommended Response** Apply updates to Devolutions Server 2026.2.4 or later, or 2026.1.20 or later immediately to remediate the vulnerabilities. Harden access controls and monitor for unauthorized changes in asset and network discovery configurations. Deploy detection rules for anomalous use of Synchronizer entries and audit logs for privilege misuse. No additional IOCs or detection signatures are provided in the source materials.
Source articles (3)
- CVE-2026-9522 Detail — Nvd.Nist · 2026-06-02
Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan… - DEVO 2026 0014 — devolutions.net · 2026-06-02
Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without t… - CVE-2026-9522 — cve.org · 2026-06-02
Timeline
- 2026-06-02 — CVE-2026-9522 published: Improper access control in Devolutions Server allows unauthorized deletion of network scan configurations by non-admin users.
- 2026-06-02 — Devolutions advisory released: Devolutions disclosed multiple access control vulnerabilities in Server 2026.1.19 and earlier, urging users to upgrade.
CVEs
Related entities
- Devolutions (Company)
- CWE-269 - Improper Privilege Management (Cwe)
- CWE-287 - Improper Authentication (Cwe)