Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11890

CVE-2026-11890: Devolutions Server Auth Bypass Flaw

CVE-2026-11890 is an authentication bypass vulnerability in Devolutions Server that allows authenticated users to access PAM account discovery scan results. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-11890 Overview

CVE-2026-11890 is an improper access control vulnerability in Devolutions Server affecting Privileged Access Management (PAM) account discovery functionality. The flaw allows an authenticated user to retrieve account discovery scan results that should be restricted. The issue affects Devolutions Server versions 2026.2.5 and 2026.1.21. The vulnerability is categorized under [CWE-284] Improper Access Control and [CWE-882] Class-Level Access Restrictions. Exploitation requires valid authentication but no user interaction, and impacts confidentiality of privileged account data exposed through PAM scans.

Critical Impact

Authenticated users can access PAM account discovery scan results outside their authorization scope, exposing privileged account inventory data.

Affected Products

  • Devolutions Server 2026.2.5
  • Devolutions Server 2026.1.21
  • Devolutions PAM module account discovery feature

Discovery Timeline

  • 2026-06-16 - CVE-2026-11890 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-11890

Vulnerability Analysis

The vulnerability resides in the PAM account discovery component of Devolutions Server. Account discovery scans enumerate privileged accounts across managed systems and store results for administrators to review. The application fails to enforce proper authorization checks when users request these scan results. An authenticated user without the necessary PAM privileges can issue requests that return discovery data intended only for privileged administrators. Exposed data may include hostnames, account names, and account metadata gathered during PAM enumeration. This information assists attackers in mapping privileged account infrastructure for follow-on credential attacks. The attack vector is network-based and exploitation complexity is low, requiring only standard user credentials.

Root Cause

The root cause is missing or insufficient authorization enforcement on the API endpoints that serve PAM account discovery results. The application authenticates the requester but does not validate whether the user holds the role required to view scan output. This represents a broken access control pattern aligned with [CWE-284] and [CWE-882].

Attack Vector

An attacker with any authenticated session to a vulnerable Devolutions Server instance can query the PAM account discovery results endpoint. No elevated privileges, social engineering, or user interaction are required. The vulnerability is described in the Devolutions Security Advisory DEVO-2026-0017.

No verified proof-of-concept exploit code is publicly available for this vulnerability. The EPSS score is 0.162% at the time of publication, indicating low predicted exploitation activity.

Detection Methods for CVE-2026-11890

Indicators of Compromise

  • Unexpected API requests from low-privilege user accounts targeting PAM account discovery endpoints
  • Authenticated sessions retrieving scan result payloads inconsistent with the user's assigned role
  • Spikes in read operations against PAM discovery resources from non-administrator principals

Detection Strategies

  • Review Devolutions Server audit logs for account discovery result access by users outside the PAM administrator group
  • Correlate authentication events with PAM API access patterns to identify unauthorized data retrieval
  • Baseline normal PAM administrator access and alert on deviations from that baseline

Monitoring Recommendations

  • Enable verbose audit logging for all PAM module endpoints in Devolutions Server
  • Forward Devolutions Server logs to a centralized SIEM for retention and correlation
  • Monitor for enumeration patterns where a single user retrieves multiple discovery scan results in a short timeframe

How to Mitigate CVE-2026-11890

Immediate Actions Required

  • Upgrade Devolutions Server to a fixed release as specified in the Devolutions Security Advisory DEVO-2026-0017
  • Audit existing PAM user role assignments and remove unnecessary access to the PAM module
  • Review historical audit logs for unauthorized access to account discovery scan results

Patch Information

Devolutions has published remediation guidance in advisory DEVO-2026-0017. Administrators should consult the Devolutions Security Advisory DEVO-2026-0017 for fixed version details and upgrade instructions for Devolutions Server 2026.2.5 and 2026.1.21.

Workarounds

  • Restrict PAM module access strictly to administrators required to operate account discovery
  • Disable account discovery scans until the server is upgraded if business operations permit
  • Rotate credentials for any privileged accounts whose metadata may have been exposed through unauthorized result retrieval
bash
# Configuration example
# Refer to vendor advisory DEVO-2026-0017 for upgrade procedures
# Verify installed Devolutions Server version before and after patching

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne