CVE-2026-9224 Overview
CVE-2026-9224 is a missing authorization vulnerability [CWE-862] in the user profile update feature of Devolutions Server. An authenticated Active Directory user can modify their own profile attributes through a crafted Application Programming Interface (API) request. The flaw stems from insufficient authorization checks on profile update endpoints that should restrict modification of synchronized directory attributes.
The vulnerability affects Devolutions Server versions 2026.1.6.0 through 2026.1.16.0 and 2025.3.20.0 and earlier. The issue requires authenticated access and yields limited integrity impact with no confidentiality or availability effects.
Critical Impact
An authenticated Active Directory user can alter their own profile attributes within Devolutions Server, potentially desynchronizing identity data and undermining trust in directory-sourced user information.
Affected Products
- Devolutions Server 2026.1.6.0 through 2026.1.16.0
- Devolutions Server 2025.3.20.0 and earlier
- Devolutions Server deployments integrated with Active Directory authentication
Discovery Timeline
- 2026-05-22 - CVE CVE-2026-9224 published to the National Vulnerability Database (NVD)
- 2026-05-22 - Devolutions published security advisory DEVO-2026-0013
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-9224
Vulnerability Analysis
The vulnerability resides in the user profile update workflow exposed by the Devolutions Server API. The endpoint accepts profile attribute changes from authenticated users but fails to enforce authorization rules over which attributes a user may modify. Active Directory-sourced attributes should remain read-only inside the server and only change through directory synchronization.
Because the missing authorization check applies to the authenticated user's own record, an attacker only needs valid Active Directory credentials. The attack vector is network-based with low attack complexity, low required privileges, and no user interaction. Impact is limited to integrity of the user's own profile attributes; confidentiality and availability remain unaffected.
Profile attribute tampering can complicate identity governance. Modified fields may affect downstream lookups, notification routing, audit attribution, or access decisions that depend on profile metadata. The defect aligns with the Common Weakness Enumeration category for Missing Authorization [CWE-862].
Root Cause
The root cause is the absence of an authorization layer that validates whether the calling identity is permitted to write specific profile attributes. The server treats authentication as sufficient and does not separately enforce that attributes originating from Active Directory must be immutable through the user-facing API.
Attack Vector
Exploitation requires a valid authenticated session as an Active Directory user. The attacker sends a crafted API request to the profile update endpoint specifying attributes the server should reject. The server applies the changes without further authorization validation. No public proof-of-concept or in-the-wild exploitation is documented, and EPSS scoring reflects a low likelihood of near-term exploitation activity.
The vulnerability is described in prose only. See the Devolutions Security Advisory DEVO-2026-0013 for vendor technical details.
Detection Methods for CVE-2026-9224
Indicators of Compromise
- API requests targeting user profile update endpoints from non-administrative accounts
- Modifications to profile attributes that should be sourced exclusively from Active Directory synchronization
- Discrepancies between Devolutions Server profile values and the authoritative Active Directory record for the same user
Detection Strategies
- Review Devolutions Server audit logs for profile update events initiated by standard Active Directory users
- Correlate profile attribute changes with directory synchronization timestamps to identify out-of-band modifications
- Alert on update requests that change directory-managed attributes outside of scheduled sync operations
Monitoring Recommendations
- Forward Devolutions Server audit and API logs to a centralized Security Information and Event Management (SIEM) platform for retention and correlation
- Establish a baseline for normal profile update activity and flag deviations by volume or attribute type
- Periodically reconcile user profile attributes between Devolutions Server and Active Directory to detect drift
How to Mitigate CVE-2026-9224
Immediate Actions Required
- Upgrade Devolutions Server to a fixed release as identified in DEVO-2026-0013
- Inventory all Devolutions Server instances and confirm versions against the affected ranges 2026.1.6.0 through 2026.1.16.0 and 2025.3.20.0 and earlier
- Audit recent profile update activity for unauthorized attribute modifications by authenticated users
Patch Information
Devolutions has published security advisory DEVO-2026-0013 with remediation guidance. Administrators should apply the fixed version provided by the vendor and validate that profile update endpoints reject unauthorized attribute changes after the upgrade.
Workarounds
- Restrict network access to the Devolutions Server API to trusted administrative networks where feasible
- Reduce the number of Active Directory accounts authorized to authenticate to Devolutions Server until the patch is deployed
- Increase audit log review cadence for profile update events while remediation is pending
# Example: validate installed Devolutions Server version against advisory
# Replace with your environment's actual query mechanism
Get-ItemProperty "HKLM:\SOFTWARE\Devolutions\Server" | Select-Object DisplayVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
