VYPR
advisoryPublished Jun 16, 2026· Updated Jun 18, 2026· 1 source

Devolutions Server: Three Access-Control Bypass CVEs Disclosed Together

Key findings • Three improper-access-control CVEs disclosed together for Devolutions Server • CVE-2026-12117 lets authenticated users enumerate social login metadata via a crafted API request…

Key findings

  • Three improper-access-control CVEs disclosed together for Devolutions Server
  • CVE-2026-12117 lets authenticated users enumerate social login metadata via a crafted API request
  • CVE-2026-12105 bypasses folder ACLs by duplicating folders with inherited permissions
  • CVE-2026-11890 exposes PAM account discovery scan results to any authenticated user
  • Affected versions: 2026.2.5 and 2026.1.21; no patch released yet

Devolutions Server, the flagship privileged access management (PAM) platform, had three improper-access-control vulnerabilities disclosed together on June 16, 2026. All three CVEs — CVE-2026-12117, CVE-2026-12105, and CVE-2026-11890 — affect versions 2026.2.5 and 2026.1.21 and allow authenticated users to reach resources they should not be able to see. The cluster is notable because each flaw bypasses a different authorization boundary, yet all share the same root cause: the server fails to re-verify permissions when handling cross-resource operations.

CVE-2026-12117 targets the social login connection endpoint. An authenticated vault member can craft a specially formed API request to enumerate metadata about social login entries that belong to other vaults or roles. Because the endpoint checks only that the requester is authenticated — not that they hold the necessary vault-level or role-level permission — the metadata of every configured social login provider becomes readable.

CVE-2026-12105 exploits a folder-duplication feature. When a user duplicates a folder, the new copy inherits the permissions of the original. An authenticated attacker can duplicate a folder they can see but whose contents they should not be able to read, and the inherited permissions on the copy grant them access to the attachments inside. The flaw effectively lets a user escalate their read access to any attachment stored in a folder they can reach, even if the folder's explicit ACL would deny them.

CVE-2026-11890 concerns PAM account discovery scan results. Devolutions Server can run scheduled or manual scans to discover accounts in connected directory services and other targets. The results of those scans are stored and should be visible only to administrators or users with the appropriate PAM role. However, the access-control check on the results endpoint is missing, so any authenticated user can retrieve the full account discovery output — potentially revealing service accounts, domain admin accounts, and other privileged identities.

Devolutions has not yet released a patch advisory for these three CVEs. The affected versions are 2026.2.5 and 2026.1.21; users running those builds should monitor the Devolutions security advisory page for a fixed release. No in-the-wild exploitation has been reported as of the disclosure date.

For organizations using Devolutions Server as their PAM hub, this batch is a reminder that authorization boundaries must be re-validated at every resource transition — folder duplication, API endpoint calls, and scan-result retrieval all bypassed the same type of check. Until patches land, administrators should audit which authenticated users have access to folders and social login configurations, and consider restricting API access to the affected endpoints where possible.

Synthesized by Vypr AI