CVE-2026-3638: Devolutions Server Auth Bypass Vulnerability

CVE-2026-3638 Overview

CVE-2026-3638 is an improper access control vulnerability affecting Devolutions Server 2025.3.11.0 and earlier versions. The vulnerability exists in the user and role restore API endpoints, allowing a low-privileged authenticated user to restore deleted users and roles via crafted API requests. This broken access control flaw (CWE-862: Missing Authorization) enables unauthorized users to manipulate account management functions that should be restricted to administrators.

Critical Impact

A low-privileged authenticated attacker can restore previously deleted user accounts and roles, potentially reactivating compromised accounts or re-establishing unauthorized access paths within the organization's privileged access management infrastructure.

Affected Products

• Devolutions Server 2025.3.11.0 and earlier
• Devolutions Server user and role restore API endpoints

Discovery Timeline

• 2026-03-09 - CVE CVE-2026-3638 published to NVD
• 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-3638

Vulnerability Analysis

This vulnerability stems from missing authorization checks in the user and role restore API endpoints within Devolutions Server. The affected API endpoints fail to properly validate whether the requesting user has sufficient privileges to perform restore operations on deleted user accounts and roles.

The vulnerability requires network access and authenticated access with low privileges, though successful exploitation has high complexity requirements. When exploited, an attacker gains the ability to modify user and role states within the system (high integrity impact) while potentially exposing limited confidential information about deleted accounts.

Devolutions Server is a privileged access management (PAM) solution used by organizations to secure, control, and monitor privileged access to critical infrastructure. The ability to restore deleted users and roles could allow an attacker to reactivate accounts that were disabled for security reasons, such as compromised credentials or terminated employees.

Root Cause

The root cause is CWE-862 (Missing Authorization). The restore functionality for users and roles does not properly enforce authorization checks to verify that the authenticated user has administrative privileges before processing the restore request. This allows any authenticated user with low privileges to invoke these administrative functions.

Attack Vector

The attack vector is network-based, requiring an authenticated session with low privileges. An attacker who has legitimate but limited access to the Devolutions Server can craft malicious API requests targeting the user and role restore endpoints. By sending properly formatted requests to these endpoints, the attacker can restore previously deleted user accounts and roles without having the administrative permissions normally required for such operations.

The attack exploits the gap between authentication (proving identity) and authorization (proving permission) in the affected API endpoints. While the system correctly requires authentication, it fails to verify that the authenticated user is authorized to perform restore operations.

Detection Methods for CVE-2026-3638

Indicators of Compromise

• Unexpected restoration of previously deleted user accounts in Devolutions Server audit logs
• API requests to user/role restore endpoints originating from non-administrative user sessions
• Sudden reappearance of disabled or terminated user accounts
• Unauthorized role modifications or restorations in the access management system

Detection Strategies

• Monitor Devolutions Server audit logs for restore operations performed by users who should not have administrative access
• Implement alerting on API endpoint access patterns that indicate restore functionality being called by non-privileged accounts
• Review authentication logs for sessions that successfully invoke administrative API endpoints without proper role assignments

Monitoring Recommendations

• Enable detailed API request logging for all user and role management endpoints
• Configure SIEM rules to alert on restore operations from accounts without administrative privileges
• Establish baseline behavior for administrative API usage and alert on anomalies
• Implement regular audits of user account states to detect unauthorized restorations

How to Mitigate CVE-2026-3638

Immediate Actions Required

• Upgrade Devolutions Server to a patched version beyond 2025.3.11.0
• Review audit logs for any signs of exploitation or unauthorized restore operations
• Verify the state of all user accounts and roles, ensuring no unauthorized restorations have occurred
• Implement network segmentation to limit access to Devolutions Server administrative interfaces

Patch Information

Devolutions has released a security advisory addressing this vulnerability. Organizations should apply the latest security updates from Devolutions to remediate this issue. Refer to the Devolutions Security Advisory DEVO-2026-0007 for detailed patch information and updated software versions.

Workarounds

• Restrict network access to Devolutions Server API endpoints using firewall rules or network segmentation
• Implement additional authentication requirements for sensitive administrative API endpoints using a reverse proxy or API gateway
• Enable comprehensive audit logging and monitoring to detect any exploitation attempts
• Review and minimize the number of users with any level of access to Devolutions Server until patching is complete

# Example: Network restriction for Devolutions Server API
# Limit API access to administrative subnet only using iptables
iptables -A INPUT -p tcp --dport 443 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP