VYPR
Medium severity4.3NVD Advisory· Published May 12, 2026· Updated May 26, 2026

CVE-2026-8407

CVE-2026-8407

Description

Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints.

This issue affects the following versions :

*

Devolutions Server 2026.1.6.0 through 2026.1.11.0

*

Devolutions Server 2025.3.16.0 and earlier

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*range: <2025.3.18.0
    • (no CPE)range: <=2025.3.16.0, 2026.1.6.0 - 2026.1.11.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.