Information Exposure in Devolutions Server Recovery Kit Feature
CVE-2026-15642

Currently unrated

Key Information:

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-15642?

The Recovery Kit response file generation feature in Devolutions Server versions 2026.1.22.0 and 2026.2.11.0 presents a critical issue where sensitive information, specifically the Azure Key Vault client secret, can be inadvertently disclosed in cleartext. This occurs even if users have selected options intended to exclude sensitive data from being included in the generated response files. Attackers with access to these files can exploit this vulnerability to obtain critical supporting information that should be kept confidential.

Affected Version(s)

Server 0 < 2026.1.23

Server 0 < 2026.2.12

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.