CVE-2026-10787
Description
Devolutions Server 2026.2.4.0 and earlier have a missing authorization flaw in the deleted user groups API, allowing low-privileged users to enumerate deleted group metadata.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Devolutions Server 2026.2.4.0 and earlier have a missing authorization flaw in the deleted user groups API, allowing low-privileged users to enumerate deleted group metadata.
Vulnerability
Devolutions Server versions 2026.2.4.0 and 2026.1.20.0 and earlier contain a missing authorization vulnerability in the deleted user groups API. This flaw allows an authenticated user with low privileges to access and enumerate metadata of deleted user groups [1].
Exploitation
An attacker must first authenticate to Devolutions Server as a low-privileged user. Once authenticated, the attacker can send a crafted API request to the deleted user groups endpoint to enumerate metadata of deleted user groups [1].
Impact
Successful exploitation of this vulnerability allows an attacker to enumerate metadata of deleted user groups. This could lead to unauthorized disclosure of sensitive information related to previously removed groups [1].
Mitigation
Devolutions has released updated versions to address this vulnerability. Users are advised to upgrade to a fixed version. Specific fixed version details are available in the vendor advisory [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 2026.2.4.0, 2026.1.20.0 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
1- Devolutions Server: Three Medium-Severity Flaws Disclosed TogetherVypr Intelligence · Jun 8, 2026