CVE-2026-12162

Vulnerability

CVE-2026-12162 is an improper host validation vulnerability in the social login autofill feature of Devolutions Remote Desktop Manager version 2026.2.8. The feature fails to properly validate the host of a web entry, allowing an attacker to craft a malicious entry that points to a provider lookalike domain. When the autofill feature is triggered, the stored social login credentials for the legitimate provider are disclosed to the attacker-controlled domain.

Exploitation

An attacker needs to convince a user with stored social login credentials in Devolutions Remote Desktop Manager to interact with a crafted web entry hosted on a lookalike domain. The attacker must have the ability to deliver or make accessible this malicious web entry to the target user. The autofill feature then automatically submits the credentials (username/password or tokens) to the attacker's domain, completing the disclosure.

Impact

Successful exploitation results in the disclosure of stored social login credentials from Devolutions Remote Desktop Manager. This is a confidentiality impact, as the attacker gains unauthorized access to the user's social login credentials for the legitimate provider. This could then be used to compromise the user's accounts on third-party services that rely on that social login.

Mitigation

Devolutions has released a security advisory (DEVO-2026-0018) addressing this vulnerability. Users should upgrade to a patched version beyond 2026.2.8 as recommended by Devolutions. The advisory is available at [1]. No workarounds are documented in the available references.