CVE-2026-10544
Description
Devolutions Server PAM provider vulnerability allows authenticated users to execute arbitrary commands via password rotation templates.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Devolutions Server PAM provider vulnerability allows authenticated users to execute arbitrary commands via password rotation templates.
Vulnerability
An improper neutralization of special elements within the built-in PAM provider password rotation templates in Devolutions Server allows for command execution. This vulnerability affects Devolutions Server versions 2026.2.4.0 and 2026.1.20.0 and earlier [1].
Exploitation
An authenticated user with write access to a vault can exploit this vulnerability by manipulating the password rotation templates. This manipulation allows them to inject and execute arbitrary commands on the systems managed by the affected PAM provider [1].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the systems managed by the PAM provider. This could lead to a full compromise of the managed systems, depending on the privileges of the PAM provider service account [1].
Mitigation
Devolutions has released patches for this vulnerability. Users are advised to update to the latest available version. Specific fixed versions are detailed in the vendor advisory [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
1- Devolutions Server: Three Medium-Severity Flaws Disclosed TogetherVypr Intelligence · Jun 8, 2026