Description
Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
Affected products
- Devolutions / Server2026.1.6.0 – 2026.1.16.0
- Devolutions / Server0 – 2025.3.20.0
References
- VENDOR_ADVISORYhttps://devolutions.net/security/advisories/DEVO-2026-0013/