CVE-2026-8407 Overview
CVE-2026-8407 is a missing authorization vulnerability in the Privileged Access Management (PAM) module of Devolutions Server. An authenticated user holding a PAM license but lacking additional permissions can issue crafted requests to PAM API endpoints to retrieve one-time password (OTP) secret keys and recovery codes. The weakness is tracked under CWE-862: Missing Authorization. Affected versions include Devolutions Server 2026.1.6.0 through 2026.1.11.0 and 2025.3.16.0 and earlier. The vendor disclosed the issue in Devolutions Security Advisory DEVO-2026-0010.
Critical Impact
Authenticated low-privileged users can harvest OTP secret keys and recovery codes, undermining multi-factor authentication enforced by the Devolutions Server PAM module.
Affected Products
- Devolutions Server 2026.1.6.0 through 2026.1.11.0
- Devolutions Server 2025.3.16.0 and earlier
- Devolutions Server PAM module
Discovery Timeline
- 2026-05-12 - CVE-2026-8407 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8407
Vulnerability Analysis
The Devolutions Server PAM module exposes API endpoints that return sensitive OTP material. The endpoints authenticate callers but fail to verify whether the caller is authorized to read the targeted secrets. Any session that holds a valid PAM license satisfies the authentication check, regardless of role assignments or vault permissions.
The vulnerability falls under CWE-862 because the access decision relies on authentication status rather than explicit authorization. A user with no operational permissions can request OTP secret keys and recovery codes used to bootstrap multi-factor authentication. Exposure of these values lets an attacker generate valid OTP codes offline, bypassing the second factor for any account whose seed was retrieved.
Root Cause
The PAM API endpoints omit per-resource authorization checks before returning OTP secrets. The server treats license entitlement as sufficient authority to access the underlying secret material. There is no enforcement of vault membership, role assignment, or object-level permission scope when the crafted requests reach the OTP retrieval handlers.
Attack Vector
An attacker requires a valid authenticated session and a PAM license assignment on the target Devolutions Server. The attacker sends crafted HTTP requests to PAM API endpoints that return OTP secret keys and recovery codes. No user interaction is required, and the attack is delivered over the network. With the harvested seeds, the attacker can compute valid OTP values for protected accounts or replay recovery codes to bypass MFA challenges.
No verified exploit code is publicly available. Refer to the Devolutions Security Advisory DEVO-2026-0010 for vendor-provided technical detail.
Detection Methods for CVE-2026-8407
Indicators of Compromise
- Unusual volume of authenticated requests from a single principal to PAM API endpoints that return OTP secret material.
- Access to OTP secret keys or recovery codes by accounts that do not own or administer the related PAM vaults.
- Successful MFA validations from new client locations shortly after PAM API access by an unrelated low-privileged account.
Detection Strategies
- Review Devolutions Server audit logs for PAM API calls that returned OTP secrets to accounts without administrative roles.
- Correlate PAM secret retrievals with subsequent successful OTP authentications across the identity provider to identify potential MFA bypass chains.
- Baseline normal PAM API usage per user and alert on deviations, especially read operations against OTP-related endpoints.
Monitoring Recommendations
- Forward Devolutions Server application and audit logs to a centralized logging platform for retention and correlation.
- Alert on any retrieval of OTP recovery codes, which is a low-frequency, high-sensitivity event in normal operations.
- Track license assignment changes for the PAM module and review whether assigned users require access to OTP material.
How to Mitigate CVE-2026-8407
Immediate Actions Required
- Upgrade Devolutions Server to a fixed release as identified in Devolutions Security Advisory DEVO-2026-0010.
- Rotate OTP secret keys and recovery codes for any account whose seeds may have been exposed to low-privileged PAM users.
- Audit PAM license assignments and remove the license from users who do not require PAM functionality.
Patch Information
Devolutions has published fix guidance in Devolutions Security Advisory DEVO-2026-0010. Administrators should upgrade Devolutions Server beyond version 2026.1.11.0 on the 2026.1 branch and migrate from the 2025.3.16.0 and earlier branch to a vendor-supported fixed release.
Workarounds
- Restrict PAM license assignment to administrators and verified privileged operators until patching is complete.
- Limit network access to the Devolutions Server management interface to trusted administrative subnets.
- Force rotation of OTP seeds and recovery codes after upgrading to confirm that any previously disclosed material is invalidated.
# Example: review users currently holding a PAM license and confirm necessity
# Run from a Devolutions Server administrative session
Get-DSPamLicenseAssignment | Where-Object { $_.Role -ne 'Administrator' }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
