Improper Access Control in Devolutions Server Affects User Activity Logs
CVE-2026-5171

4.3MEDIUM

Key Information:

Vendor: Devolutions
Status: Server
Vendor: CVE Published:; 22 May 2026

🔔 Create Devolutions Vulnerability Alert

What is CVE-2026-5171?

An improper access control vulnerability in the entry activity log feature of Devolutions Server allows authenticated users to exploit a flaw via crafted API requests. This enables access to activity logs of entries for which they do not possess the necessary permissions, potentially exposing sensitive operational details. Affected versions include Devolutions Server 2026.1.6.0 through 2026.1.16.0 and 2025.3.20.0 or earlier. It is crucial for users to assess their systems for this vulnerability and apply the appropriate security measures.

Affected Version(s)

Server 2026.1.6.0 <= 2026.1.16.0

Server 0 <= 2025.3.20.0

References

https://devolutions.net/security/advisories/DEVO-2026-0013/

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-5171 Data

JSON