Improper Access Control in Devolutions Server Affects User Data Security
CVE-2026-9246

4.3MEDIUM

Key Information:

Vendor: Devolutions
Status: Server
Vendor: CVE Published:; 22 May 2026

🔔 Create Devolutions Vulnerability Alert

What is CVE-2026-9246?

In Devolutions Server, a vulnerability exists due to improper access control in the entry documentation and attachment features. This allows an authenticated user with vault read access to exploit the system and retrieve sensitive documentation and attachments of sealed entries by sending a specially crafted API request. The affected versions include Devolutions Server 2026.1.6.0 through 2026.1.16.0 and earlier editions up to 2025.3.20.0, posing a risk to user data security.

Affected Version(s)

Server 2026.1.6.0 <= 2026.1.16.0

Server 0 <= 2025.3.20.0

References

https://devolutions.net/security/advisories/DEVO-2026-0013/

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-9246 Data

JSON