CVE-2026-12117
Description
An improper access control vulnerability in Devolutions Server 2026.2.5 allows authenticated vault members to enumerate unauthorized social login metadata via crafted API requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An improper access control vulnerability in Devolutions Server 2026.2.5 allows authenticated vault members to enumerate unauthorized social login metadata via crafted API requests.
Vulnerability
The vulnerability resides in the social login connection endpoint of Devolutions Server 2026.2.5. Due to improper access control, an authenticated vault member can enumerate metadata of social login entries to which they are not authorized. The affected version is specifically 2026.2.5. [1]
Exploitation
An attacker must be an authenticated vault member. By crafting a specific API request to the social login connection endpoint, they can retrieve metadata of social login entries that are restricted from their role. No additional privileges or user interaction beyond authentication are required. [1]
Impact
Successful exploitation results in unauthorized disclosure of social login entry metadata, potentially revealing configuration details about social login providers. The attacker gains information disclosure but does not obtain the ability to modify or use those social logins. [1]
Mitigation
Devolutions has published security advisory DEVO-2026-0017 addressing this issue. Users should upgrade to a patched version of Devolutions Server as soon as possible. No workarounds have been disclosed. [1]
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =2026.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.