Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12105

CVE-2026-12105: Devolutions Server Auth Bypass Flaw

CVE-2026-12105 is an authentication bypass vulnerability in Devolutions Server that allows authenticated users to access unauthorized attachments through folder duplication. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-12105 Overview

CVE-2026-12105 is an improper access control vulnerability [CWE-862] affecting Devolutions Server versions 2026.2.5 and 2026.1.21. The flaw allows an authenticated user to access attachments through folder duplication with inherited permissions. When a user duplicates a folder, the duplicated object inherits permissions in a way that exposes attachments the user should not be able to view.

The issue is network-exploitable and requires low privileges with no user interaction. Successful exploitation results in confidentiality impact, exposing sensitive attachment data stored in the Devolutions Server vault.

Critical Impact

An authenticated attacker can read attachments belonging to other users or vaults by abusing folder duplication, leading to disclosure of credentials, documents, or other sensitive data managed by Devolutions Server.

Affected Products

  • Devolutions Server 2026.2.5
  • Devolutions Server 2026.1.21
  • Earlier 2026 release branches sharing the same access control logic

Discovery Timeline

  • 2026-06-16 - CVE-2026-12105 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-12105

Vulnerability Analysis

The vulnerability resides in the folder duplication workflow within Devolutions Server. When a user duplicates a folder, the server copies the folder structure along with its child objects, including attachments. The permission inheritance logic applied to the duplicated objects does not enforce the originating attachment access checks. As a result, an authenticated low-privileged user can use folder duplication to obtain a reference to attachments that their account would otherwise be unauthorized to retrieve.

The weakness maps to CWE-862: Missing Authorization. Devolutions has published Devolutions Security Advisory DEVO-2026-0017 describing the issue and the fixed releases.

Root Cause

The root cause is missing authorization verification on attachment objects during folder duplication. The duplication routine reuses inherited permissions from the new parent folder instead of re-evaluating per-attachment access rights against the requesting user. This bypasses the per-object authorization model that normally protects attachments.

Attack Vector

An attacker must hold a valid Devolutions Server account with permission to duplicate folders into a destination they control. The attacker selects or references a folder containing attachments they cannot view directly. After duplication, the inherited permissions on the new folder grant the attacker access to copies of the original attachments. The vector is fully network-based and requires no user interaction.

No exploit code or proof-of-concept is publicly available. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, and the EPSS probability is 0.201%.

Detection Methods for CVE-2026-12105

Indicators of Compromise

  • Unexpected folder duplication events in Devolutions Server audit logs, especially across vault boundaries or organizational units.
  • Attachment download events tied to recently duplicated folders that contain content the requesting user previously lacked access to.
  • Spikes in Duplicate or Copy operations originating from a single low-privileged account within a short window.

Detection Strategies

  • Review Devolutions Server audit trails for folder duplication actions correlated with subsequent attachment read operations.
  • Compare permission ownership before and after duplication events to identify cases where inherited permissions deviate from the source.
  • Hunt for low-privileged accounts performing duplication operations against high-value vaults or shared folders.

Monitoring Recommendations

  • Forward Devolutions Server audit logs to a centralized SIEM and alert on folder duplication followed by attachment access within the same session.
  • Baseline normal folder duplication frequency per role and alert on outliers.
  • Track attachment access patterns per user and flag access to objects newly created via duplication.

How to Mitigate CVE-2026-12105

Immediate Actions Required

  • Upgrade Devolutions Server to a version released after 2026.2.5 and 2026.1.21 that addresses DEVO-2026-0017.
  • Audit accounts that performed folder duplication operations since the last known patched state and review the attachments they accessed.
  • Restrict folder duplication permissions to roles that require the capability, and apply least privilege across vault assignments.

Patch Information

Devolutions has published fixed releases through the Devolutions Security Advisory DEVO-2026-0017. Administrators should apply the vendor-supplied update following standard Devolutions Server upgrade procedures and validate audit logging after the upgrade.

Workarounds

  • Temporarily remove folder duplication permissions from low-privileged roles until the patch is deployed.
  • Move sensitive attachments into vaults that the broader user base cannot duplicate from.
  • Increase audit log retention and review frequency for duplication and attachment access events until the upgrade is complete.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne