Devolutions Devolutions Server — known CVE vulnerabilities
Every CVE whose affected-product data names Devolutions Devolutions Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (105)
CVE-2024-2921 — CVSS 9.8 (critical): Improper access control in PAM vault permissions in Devolutions Server 2024.1.10.0 and earlier allows an authenticated user with access to…
CVE-2026-3224 — CVSS 9.8 (critical): Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an…
CVE-2026-3204 — CVSS 9.8 (critical): Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the…
CVE-2026-3130 — CVSS 9.8 (critical): Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete…
CVE-2026-0610 — CVSS 9.8 (critical): SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12
CVE-2021-23921 — CVSS 9.1 (critical): An issue was discovered in Devolutions Server before 2020.3. There is broken access control on Password List entry elements.
CVE-2026-14536 — CVSS 8.8 (high): Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user…
CVE-2022-33996 — CVSS 8.8 (high): Incorrect permission management in Devolutions Server before 2022.2 allows a new user with a preexisting username to inherit the…
CVE-2025-11619 — CVSS 8.8 (high): Improper certificate validation when connecting to gateways in Devolutions Server 2025.3.2 and earlier allows attackers in MitM position to…
CVE-2025-4433 — CVSS 8.8 (high): Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both…
CVE-2023-0951 — CVSS 8.8 (high): Improper access controls on some API endpoints in Devolutions Server 2022.3.12 and earlier could allow a standard privileged user to…
CVE-2025-13757 — CVSS 8.8 (high): SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through…
CVE-2023-0953 — CVSS 8.8 (high): Insufficient input sanitization in the documentation feature of Devolutions Server 2022.3.12 and earlier allows an authenticated attacker…
CVE-2024-2915 — CVSS 8.8 (high): Improper access control in PAM JIT elevation in Devolutions Server 2024.1.6 and earlier allows an attacker with access to the PAM JIT…
CVE-2025-12485 — CVSS 8.8 (high): Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to…
CVE-2025-11957 — CVSS 8.4 (high): Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to…
CVE-2026-4924 — CVSS 8.2 (high): Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker…
CVE-2026-4828 — CVSS 8.2 (high): Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid…
CVE-2025-2280 — CVSS 8.1 (high): Improper access control in web extension restriction feature in Devolutions Server 2024.3.4.0 and earlier allows an authenticated user to…
CVE-2021-23923 — CVSS 8.1 (high): An issue was discovered in Devolutions Server before 2020.3. There is Broken Authentication with Windows domain users.
CVE-2026-4434 — CVSS 8.1 (high): Improper certificate validation in the PAM propagation WinRM connections allows a network attacker to perform a man-in-the-middle attack…
CVE-2025-6741 — CVSS 7.7 (high): Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via…
CVE-2025-6523 — CVSS 7.7 (high): Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass…
CVE-2026-1007 — CVSS 7.6 (high): Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This…
CVE-2026-9047 — CVSS 7.6 (high): Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with…
CVE-2024-1764 — CVSS 7.6 (high): Improper privilege management in Just-in-time (JIT) elevation module in Devolutions Server 2023.3.14.0 and earlier allows a user to…
CVE-2021-23924 — CVSS 7.5 (high): An issue was discovered in Devolutions Server before 2020.3. There is an exposure of sensitive information in diagnostic files.
CVE-2023-5240 — CVSS 7.5 (high): Improper access control in PAM propagation scripts in Devolutions Server 2023.2.8.0 and ealier allows an attack with permission to manage…
CVE-2025-2277 — CVSS 7.5 (high): Exposure of password in web-based SSH authentication component in Devolutions Server 2024.3.13 and earlier allows a user to unadvertently…
CVE-2021-28157 — CVSS 7.2 (high): An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to…
CVE-2025-2003 — CVSS 7.1 (high): Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add in root'…
CVE-2025-8312 — CVSS 7.1 (high): Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out…
CVE-2026-7325 — CVSS 7.1 (high): Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain…
CVE-2025-5382 — CVSS 6.8 (medium): Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to…
CVE-2023-1603 — CVSS 6.5 (medium): Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users…
CVE-2025-12808 — CVSS 6.5 (medium): Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists…
CVE-2025-13683 — CVSS 6.5 (medium): Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions…
CVE-2023-1201 — CVSS 6.5 (medium): Improper access control in the secure messages feature in Devolutions Server 2022.3.12 and below allows an authenticated attacker that…
CVE-2025-2278 — CVSS 6.5 (medium): Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an…
CVE-2023-0952 — CVSS 6.5 (medium): Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sensitive data…
CVE-2025-4493 — CVSS 6.5 (medium): Improper privilege assignment in PAM JIT privilege sets in Devolutions Server allows a PAM user to perform PAM JIT requests on unauthorized…
CVE-2023-5575 — CVSS 6.5 (medium): Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlier allows an attacker that compromised a…
CVE-2023-0661 — CVSS 6.5 (medium): Improper access control in Devolutions Server allows an authenticated user to access unauthorized sensitive data.
CVE-2026-6706 — CVSS 6.5 (medium): Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation…
CVE-2026-4927 — CVSS 6.5 (medium): Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain…
CVE-2024-12196 — CVSS 6.5 (medium): Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the…
CVE-2021-28048 — CVSS 6.5 (medium): An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker…
CVE-2026-3131 — CVSS 6.5 (medium): Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with…
CVE-2026-12105 — CVSS 6.5 (medium): Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication…
CVE-2026-10786 — CVSS 6.5 (medium): Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain…
CVE-2024-5072 — CVSS 6.5 (medium): Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.11.0 and earlier allows an authenticated user with…
CVE-2024-6512 — CVSS 6.5 (medium): Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticated users…
CVE-2026-10544 — CVSS 6.5 (medium): Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an…
CVE-2022-3781 — CVSS 6.5 (medium): Dashlane password and Keepass Server password in My Account Settings are not encrypted in the database in Devolutions Remote Desktop…
CVE-2025-3517 — CVSS 6.3 (medium): Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a…
CVE-2024-4846 — CVSS 6.3 (medium): Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to…
CVE-2021-23925 — CVSS 6.1 (medium): An issue was discovered in Devolutions Server before 2020.3. There is a cross-site scripting (XSS) vulnerability in entries of type…
CVE-2025-8353 — CVSS 5.9 (medium): UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a…
CVE-2026-3638 — CVSS 5.9 (medium): Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged…
CVE-2024-1900 — CVSS 5.5 (medium): Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an…
CVE-2026-9251 — CVSS 5.4 (medium): Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass…
CVE-2025-1231 — CVSS 5.4 (medium): Improper password reset in PAM Module in Devolutions Server 2024.3.10.0 and earlier allows an authenticated user to reuse the oracle user…
CVE-2026-9522 — CVSS 5.4 (medium): Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user…
CVE-2022-2316 — CVSS 5.4 (medium): HTML injection vulnerability in secure messages of Devolutions Server before 2022.2 allows attackers to alter the rendering of the page or…
CVE-2026-4829 — CVSS 5.4 (medium): Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user…
CVE-2023-2118 — CVSS 5.4 (medium): Insufficient access control in support ticket feature in Devolutions Server 2023.1.5.0 and below allows an authenticated attacker to send…
CVE-2023-6264 — CVSS 5.3 (medium): Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauthenticated attacker to list the…
CVE-2023-5358 — CVSS 5.3 (medium): Improper access control in Report log filters feature in Devolutions Server 2023.2.10.0 and earlier allows attackers to retrieve logs from…
CVE-2026-9590 — CVSS 5.3 (medium): Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user…
CVE-2025-3768 — CVSS 5.0 (medium): Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to…
CVE-2026-4925 — CVSS 5.0 (medium): Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced…
CVE-2024-12151 — CVSS 5.0 (medium): Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain their old…
CVE-2025-0691 — CVSS 5.0 (medium): Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the…
CVE-2026-9245 — CVSS 5.0 (medium): Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to…
CVE-2026-5175 — CVSS 5.0 (medium): Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to…
CVE-2026-3221 — CVSS 4.9 (medium): Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker…
CVE-2023-2445 — CVSS 4.9 (medium): Improper access control in Subscriptions Folder path filter in Devolutions Server 2023.1.1 and earlier allows attackers with administrator…
CVE-2026-9246 — CVSS 4.3 (medium): Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault…
CVE-2025-13765 — CVSS 4.3 (medium): Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server…
CVE-2024-3545 — CVSS 4.3 (medium): Improper permission handling in the vault offline cache feature in Devolutions Remote Desktop Manager 2024.1.20 and earlier on windows and…
CVE-2026-10787 — CVSS 4.3 (medium): Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate…
CVE-2026-11890 — CVSS 4.3 (medium): Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve…
CVE-2026-12117 — CVSS 4.3 (medium): Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to…
CVE-2026-1768 — CVSS 4.3 (medium): A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.This…
CVE-2024-1901 — CVSS 4.3 (medium): Denial of service in PAM password rotation during the check-in process in Devolutions Server 2023.3.14.0 allows an authenticated user with…
CVE-2024-1898 — CVSS 4.3 (medium): Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change…
CVE-2026-4989 — CVSS 4.3 (medium): Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform…
CVE-2026-5146 — CVSS 4.3 (medium): Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or…
CVE-2026-5171 — CVSS 4.3 (medium): Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but…
CVE-2024-12148 — CVSS 4.3 (medium): Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to…
CVE-2024-10971 — CVSS 4.3 (medium): Improper access control in the Password History feature in Devolutions DVLS 2024.3.6 and earlier allows a malicious authenticated user to…
CVE-2026-8407 — CVSS 4.3 (medium): Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions…
CVE-2026-9223 — CVSS 4.3 (medium): Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user…
CVE-2026-9224 — CVSS 4.3 (medium): Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify…
CVE-2025-4316 — CVSS 4.3 (medium): Improper access control in PAM feature in Devolutions Server allows a PAM user to self approve their PAM requests even if disallowed by the…
CVE-2025-11958 — CVSS 4.1 (medium): An improper input validation in the Security Dashboard ignored-tasks API of Devolutions Server 2025.2.15.0 and earlier allows an…
CVE-2024-2918 — CVSS 3.6 (low): Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.6 and earlier allows an attacker with access to the PAM…
CVE-2025-13758 — CVSS 3.5 (low): Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.
CVE-2026-9249 — CVSS 3.1 (low): Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a…
CVE-2026-12755 — CVSS 2.7 (low): Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated…
CVE-2023-2400 — CVSS 2.7 (low): Improper deletion of resource in the user management feature in Devolutions Server 2023.1.8 and earlier allows an administrator to view…
CVE-2026-8477 — CVSS 2.7 (low): Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an…
CVE-2021-36382 — CVSS 2.6 (low): Devolutions Server before 2021.1.18, and LTS before 2020.3.20, allows attackers to intercept private keys via a man-in-the-middle attack…
CVE-2026-9248 — CVSS 2.6 (low): Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to…
CVE-2026-9247 — CVSS 2.4 (low): Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a…