CVE-2026-11890
Description
An authenticated user can retrieve PAM account discovery scan results due to improper access control in Devolutions Server 2026.2.5 and 2026.1.21.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated user can retrieve PAM account discovery scan results due to improper access control in Devolutions Server 2026.2.5 and 2026.1.21.
Vulnerability
Improper access control in the PAM account discovery functionality of Devolutions Server versions 2026.2.5 and 2026.1.21 allows an authenticated user to retrieve account discovery scan results [1]. The vulnerability exists when a user who is not authorized to view such results can still access them via a crafted request.
Exploitation
An attacker must have valid authentication credentials for the Devolutions Server. No specific network position or additional privileges are required beyond standard user access. The attacker can exploit the flaw by making a specially crafted API call or request to the account discovery endpoint, bypassing the intended access controls [1].
Impact
Successful exploitation results in the disclosure of account discovery scan results, which may include sensitive information such as discovered accounts, their configurations, and network topology details. This is a confidentiality impact, potentially leading to further attacks on the environment.
Mitigation
Devolutions has released updates to address this vulnerability. Users should upgrade to Devolutions Server version 2026.2.5 or later, or apply the specific patches referenced in the advisory [1]. No workarounds have been published.
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =2026.2.5, =2026.1.21
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.