CVE-2026-5171 Overview
CVE-2026-5171 is an improper access control vulnerability [CWE-284] affecting Devolutions Server. The flaw exists in the entry activity log feature and allows an authenticated user with access to an entry, but without the required permission, to retrieve that entry's activity logs through a crafted API request. Exploitation requires valid authentication and yields read-only access to log data, resulting in limited confidentiality impact without integrity or availability consequences.
Critical Impact
Authenticated users can retrieve activity log data for entries they should not have permission to view, exposing operational metadata such as access timestamps, user identifiers, and entry interaction history.
Affected Products
- Devolutions Server versions 2026.1.6.0 through 2026.1.16.0
- Devolutions Server versions 2025.3.20.0 and earlier
- Devolutions Server (privileged access management platform)
Discovery Timeline
- 2026-05-22 - CVE CVE-2026-5171 published to the National Vulnerability Database (NVD)
- 2026-05-22 - Devolutions published security advisory DEVO-2026-0013
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-5171
Vulnerability Analysis
The vulnerability resides in the entry activity log feature of Devolutions Server. Devolutions Server enforces granular permissions on stored entries, separating the right to use or view an entry from the right to view its activity history. The API endpoint serving activity logs fails to validate whether the requesting user holds the specific activity-log permission for the targeted entry.
Authenticated users with general entry access can construct API requests that bypass this permission check. The server returns activity log data tied to the entry, including historical access events. Because the attacker requires existing access to the entry and obtains only log metadata, the disclosed information is limited in scope.
This is a classic broken access control issue, mapped to CWE-284 (Improper Access Control). The flaw stems from missing authorization enforcement on a secondary feature, not from authentication weakness.
Root Cause
The activity log API endpoint relies on the caller having entry access but does not perform a secondary authorization check for the activity-log permission. The permission model defines this right separately, yet the server-side handler omits the enforcement step before returning log records.
Attack Vector
Exploitation requires network access to the Devolutions Server API and valid authenticated credentials with at least entry-level access. The attacker issues a crafted API request referencing the entry identifier of interest. The server responds with activity log content despite the missing activity-log permission. No user interaction is required, and complexity is low.
No public proof-of-concept exists, and no exploitation in the wild has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Devolutions Security Advisory DEVO-2026-0013 for vendor technical details.
Detection Methods for CVE-2026-5171
Indicators of Compromise
- API requests to activity log endpoints originating from accounts that hold entry access but lack the activity-log permission for the referenced entry.
- Unusual volumes of activity log queries from a single authenticated user account targeting many distinct entry identifiers.
- Successful HTTP 200 responses to activity log API calls correlated with users not previously associated with administrative or audit roles.
Detection Strategies
- Review Devolutions Server audit logs for activity log retrieval events and cross-reference each event against the user's permission set for the queried entry.
- Alert on enumeration patterns where a single account requests activity logs for sequential or numerous entry identifiers within a short window.
- Compare API access traces against the expected permission matrix exported from Devolutions Server administration.
Monitoring Recommendations
- Forward Devolutions Server application and API logs to a centralized SIEM for correlation against authorization baselines.
- Track per-user API request rates against activity log endpoints and establish thresholds for anomaly detection.
- Monitor for accounts accessing activity logs across entries that fall outside their normal job function or vault scope.
How to Mitigate CVE-2026-5171
Immediate Actions Required
- Upgrade Devolutions Server to the fixed release identified in advisory DEVO-2026-0013 as soon as maintenance windows permit.
- Inventory user accounts and review which users hold entry access without activity-log permissions, as these are the accounts capable of triggering the flaw.
- Audit historical activity log API access to identify any prior unauthorized retrieval attempts.
Patch Information
Devolutions has released fixed builds addressing the issue. Refer to the Devolutions Security Advisory DEVO-2026-0013 for the specific patched version numbers and upgrade guidance. All Devolutions Server instances running 2026.1.6.0 through 2026.1.16.0 or 2025.3.20.0 and earlier must be updated.
Workarounds
- Restrict Devolutions Server API network exposure to trusted administrative networks until the patch is applied.
- Tighten entry-level permissions so that only trusted users hold access to sensitive entries, reducing the population that can abuse the flaw.
- Increase audit log review cadence for activity log endpoints during the remediation window.
# Verify the running Devolutions Server version against the advisory
# Replace <server> with your Devolutions Server hostname
curl -s https://<server>/api/server/info | jq '.version'
# Confirm the version is at or above the fixed release noted in DEVO-2026-0013
# Versions in scope:
# 2026.1.6.0 through 2026.1.16.0
# 2025.3.20.0 and earlier
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
