Access Control Flaw in Devolutions Server Affects User Management
CVE-2026-3638

5.9MEDIUM

Key Information:

Vendor: Devolutions
Status: Server
Vendor: CVE Published:; 9 March 2026

🔔 Create Devolutions Vulnerability Alert

What is CVE-2026-3638?

An access control vulnerability identified in Devolutions Server allows low-privileged authenticated users to improperly restore deleted users and roles. This security flaw arises from insufficient restrictions in the user and role restore API endpoints, which can be exploited through carefully crafted API requests. The impact of this vulnerability could lead to unauthorized access to user accounts and roles, potentially compromising the integrity and security of the system. For further details, refer to the advisory from Devolutions.

Affected Version(s)

Server 0 <= 2025.3.11.0

References

https://devolutions.net/security/advisories/DEVO-2026-0007

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2026
Vulnerability Reserved
Mar 6, 2026

CVE-2026-3638 Data

JSON