Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12117

CVE-2026-12117: Devolutions Server Information Disclosure

CVE-2026-12117 is an information disclosure vulnerability in Devolutions Server that allows authenticated vault members to enumerate unauthorized social login metadata. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-12117 Overview

CVE-2026-12117 is an improper access control vulnerability [CWE-200] in the social login connection endpoint of Devolutions Server 2026.2.5. An authenticated vault member can issue a crafted API request to enumerate metadata for social login entries they are not authorized to view. The flaw enables information disclosure without affecting integrity or availability. Devolutions published security advisory DEVO-2026-0017 describing the issue. The EPSS score is 0.176% with a percentile of 7.33, indicating low predicted exploitation likelihood.

Critical Impact

Authenticated low-privilege users can enumerate social login entry metadata across the vault, exposing information that should be restricted by access controls.

Affected Products

  • Devolutions Server 2026.2.5
  • Devolutions Server 2026 branch builds prior to the fixed release referenced in DEVO-2026-0017
  • Deployments exposing the social login connection API endpoint to authenticated vault members

Discovery Timeline

  • 2026-06-16 - CVE-2026-12117 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-12117

Vulnerability Analysis

The vulnerability resides in the social login connection endpoint exposed by Devolutions Server. The endpoint accepts authenticated API requests from any vault member but fails to enforce per-entry authorization checks. As a result, a user who is authenticated to the server can craft requests that return metadata for social login entries belonging to other users or vaults. The exposed metadata is limited to entry attributes rather than secrets, which aligns with the confidentiality-only impact described in the advisory. No user interaction or elevated privileges are required beyond standard vault membership.

Root Cause

The root cause is a missing authorization check on the social login connection API path. The endpoint validates that the caller is authenticated but does not verify that the caller has rights to the specific entry identifier supplied in the request. This is a classic broken access control pattern mapped to [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.

Attack Vector

Exploitation requires network access to the Devolutions Server API and valid vault member credentials. The attacker iterates entry identifiers in the social login connection endpoint and parses the metadata returned for entries outside their authorization scope. The vulnerability does not enable code execution, modification of entries, or denial of service. See the Devolutions Security Advisory DEVO-2026-0017 for vendor-provided technical context.

Detection Methods for CVE-2026-12117

Indicators of Compromise

  • High-volume sequential requests from a single authenticated session to the social login connection endpoint
  • API responses returning metadata for entry identifiers the requesting user has never previously accessed
  • Audit log entries showing the same vault member querying entries across multiple unrelated vaults in a short window

Detection Strategies

  • Review Devolutions Server audit logs for enumeration patterns against social login connection routes
  • Correlate authenticated API requests with the requester's assigned vault scope to surface out-of-scope access
  • Apply rate limiting and anomaly thresholds on per-user API calls to identify scraping behavior

Monitoring Recommendations

  • Forward Devolutions Server application and audit logs to a centralized SIEM for retention and analytics
  • Alert on requests to the social login connection endpoint that return entries outside a user's assigned permissions
  • Track baseline API usage per vault member and flag deviations consistent with enumeration

How to Mitigate CVE-2026-12117

Immediate Actions Required

  • Upgrade Devolutions Server to the fixed release identified in Devolutions Security Advisory DEVO-2026-0017
  • Audit vault membership and remove accounts that do not require access to the affected server
  • Review historical audit logs for prior enumeration attempts against the social login endpoint

Patch Information

Devolutions has published the fix and remediation details in advisory DEVO-2026-0017. Administrators should apply the vendor-supplied update for Devolutions Server 2026.2.5 and validate version strings after deployment. Refer to the Devolutions Security Advisory DEVO-2026-0017 for affected build ranges and the corrected version.

Workarounds

  • Restrict network access to the Devolutions Server API to trusted administrative networks until patching is complete
  • Limit vault membership to the minimum users required for business operations
  • Enable detailed API audit logging and monitor the social login connection endpoint for anomalous access

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne