CVE-2026-12105
Description
Improper access control in Devolutions Server allows authenticated users to access attachments via folder duplication with inherited permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper access control in Devolutions Server allows authenticated users to access attachments via folder duplication with inherited permissions.
Vulnerability
An improper access control vulnerability exists in Devolutions Server versions 2026.2.5 and 2026.1.21. When a folder with inherited permissions is duplicated, the access control mechanism fails to properly restrict access to attachments, allowing an authenticated user to access attachments they should not be able to see [1].
Exploitation
An attacker must be authenticated to the Devolutions Server. The attacker then duplicates a folder that has inherited permissions. Due to the improper access control, the duplication process may carry over permissions that inadvertently grant the attacker access to the attachments within that folder [1].
Impact
Successful exploitation allows an authenticated user to read attachments that are not intended for their access level. This could lead to unauthorized disclosure of sensitive information contained in the attachments [1].
Mitigation
As of the publication date, no fixed version has been disclosed in the available references. Users are advised to monitor the vendor's advisory for updates [1].
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 2026.2.5, 2026.1.21
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.