CVE-2026-10786
Description
Authenticated low-privileged users can steal cleartext ticketing integration credentials from Devolutions Server via API requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated low-privileged users can steal cleartext ticketing integration credentials from Devolutions Server via API requests.
Vulnerability
Improper access control in the ticketing integration settings of Devolutions Server allows an authenticated, low-privileged user to obtain cleartext credentials for configured ticketing integrations. This vulnerability affects Devolutions Server versions 2026.2.4.0 and 2026.1.20.0 and earlier [1].
Exploitation
An attacker with low privileges and authentication to Devolutions Server can exploit this vulnerability by sending a crafted API request to the ticketing integration settings endpoint. This request bypasses access controls, allowing the attacker to retrieve sensitive credentials [1].
Impact
Successful exploitation allows an attacker to obtain cleartext credentials for configured ticketing integrations. This could lead to further compromise of integrated ticketing systems or unauthorized access to sensitive information managed by those systems [1].
Mitigation
Devolutions has released updated versions to address this vulnerability. Users should update to a fixed version as soon as possible. Specific fixed version details are available in the vendor advisory [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 2026.2.4.0, 2026.1.20.0 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
1- Devolutions Server: Three Medium-Severity Flaws Disclosed TogetherVypr Intelligence · Jun 8, 2026