Authorization Bypass in Devolutions Server Affects User Data Access
CVE-2026-9248

2.6LOW

Key Information:

Vendor: Devolutions
Status: Server
Vendor: CVE Published:; 22 May 2026

🔔 Create Devolutions Vulnerability Alert

What is CVE-2026-9248?

An authorization bypass vulnerability exists in the entry duplication feature of Devolutions Server that allows an authenticated user with write access to any vault to circumvent access controls. This vulnerability enables them to copy sensitive documentation and attachments from entries within a vault that they do not have permission to access, posing significant risks of data exposure and unauthorized information disclosure.

Affected Version(s)

Server 2026.1.6.0 <= 2026.1.16.0

Server 0 <= 2025.3.20.0

References

https://devolutions.net/security/advisories/DEVO-2026-0013/

CVSS V3.1

Score:

2.6

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-9248 Data

JSON