Medium severity4.3NVD Advisory· Published May 22, 2026· Updated May 22, 2026
CVE-2026-9246
CVE-2026-9246
Description
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request.
This issue affects :
- Devolutions Server 2026.1.6.0 through 2026.1.16.0
- Devolutions Server 2025.3.20.0 and earlier
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*range: <2025.3.22.0
- (no CPE)range: >=2026.1.6.0, <=2026.1.16.0 || <=2025.3.20.0
Patches
Vulnerability mechanics
References
1- devolutions.net/security/advisories/DEVO-2026-0013/nvdVendor Advisory
News mentions
1- Devolutions Server: Nine CVEs Disclosed in Single Advisory — MFA Bypass, Auth Flaws, and Access Control GapsVypr Intelligence · May 22, 2026