CVE-2026-5146 Overview
CVE-2026-5146 is an improper access control vulnerability in Devolutions Server notification management endpoints. The flaw stems from missing session validation, allowing an unauthenticated attacker to modify or delete arbitrary user notification records. The vulnerability is tracked under CWE-862: Missing Authorization.
The issue affects Devolutions Server 2026.1.6.0 through 2026.1.15.0 and 2025.3.19.0 and earlier. Devolutions disclosed the vulnerability in advisory DEVO-2026-0012.
Critical Impact
An unauthenticated network attacker can tamper with or destroy notification records belonging to any user, undermining the integrity of audit and alerting workflows in Devolutions Server deployments.
Affected Products
- Devolutions Server 2026.1.6.0 through 2026.1.15.0
- Devolutions Server 2025.3.19.0 and earlier
- Devolutions Server notification management endpoints
Discovery Timeline
- 2026-05-12 - CVE-2026-5146 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-5146
Vulnerability Analysis
The vulnerability resides in the notification management endpoints exposed by Devolutions Server. These endpoints are intended to allow authenticated users to manage their own notification records. However, the affected versions fail to enforce session validation before processing modification or deletion requests.
Because the server does not verify whether the caller holds a valid session, requests are processed without authorization. An attacker reaches the endpoints over the network and submits requests targeting notification records owned by any user. The classification under CWE-862: Missing Authorization reflects this absence of authorization checks at the API layer.
The impact is limited to the integrity of notification records. Confidentiality of other data and overall service availability are not directly affected by this flaw. Notification records often track security-relevant events, so tampering can disrupt operational visibility and obscure prior administrative actions.
Root Cause
The root cause is missing session validation on notification management API routes. The endpoint handlers proceed to mutate persistence-layer records without first confirming that the request originates from an authenticated principal with rights to the target record.
Attack Vector
The attack vector is network-based and requires no prior authentication or user interaction. An attacker reachable to the Devolutions Server HTTP interface crafts requests against the vulnerable notification endpoints and supplies identifiers for notification records belonging to arbitrary users. The server then modifies or deletes those records.
No verified proof-of-concept exploit code is publicly available. Refer to the Devolutions Security Advisory DEVO-2026-0012 for vendor-supplied technical details.
Detection Methods for CVE-2026-5146
Indicators of Compromise
- Unexpected deletion or modification of user notification records in Devolutions Server audit logs.
- HTTP requests to notification management endpoints lacking valid session cookies or authentication headers.
- Anomalous request volume against notification API routes from external or unauthenticated sources.
Detection Strategies
- Review Devolutions Server application logs for notification mutation events that do not correlate with an authenticated user session.
- Correlate web server access logs with application-layer authentication events to identify requests that reach notification endpoints without prior login activity.
- Monitor for sudden gaps or inconsistencies in notification history that may indicate tampering.
Monitoring Recommendations
- Enable verbose logging on the Devolutions Server web tier and forward logs to a centralized SIEM for retention and analysis.
- Alert on HTTP requests to notification endpoints originating from untrusted networks or IP ranges outside expected administrative access.
- Track integrity baselines of notification records and alert on out-of-band deletions.
How to Mitigate CVE-2026-5146
Immediate Actions Required
- Upgrade Devolutions Server to a fixed release as identified in DEVO-2026-0012.
- Restrict network exposure of Devolutions Server management interfaces to trusted administrative networks only.
- Audit notification records and supporting backups to identify any tampering that occurred prior to patching.
Patch Information
Devolutions has published fixed builds addressing the missing session validation. Administrators running 2026.1.6.0 through 2026.1.15.0 or 2025.3.19.0 and earlier should upgrade to the remediated version listed in the Devolutions Security Advisory.
Workarounds
- Place Devolutions Server behind a reverse proxy or web application firewall that blocks unauthenticated access to notification management routes.
- Limit inbound access to the Devolutions Server HTTPS listener using network ACLs until the patch can be applied.
- Increase log retention and review frequency for notification-related events during the remediation window.
# Example: restrict inbound access to Devolutions Server using firewall rules
# Replace <trusted-admin-cidr> with your administrative network range
New-NetFirewallRule -DisplayName "Devolutions Server - Admin Only" `
-Direction Inbound -Protocol TCP -LocalPort 443 `
-RemoteAddress <trusted-admin-cidr> -Action Allow
New-NetFirewallRule -DisplayName "Devolutions Server - Block Other" `
-Direction Inbound -Protocol TCP -LocalPort 443 `
-Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
