CVE-2026-9246 Overview
CVE-2026-9246 is an improper access control vulnerability [CWE-862] in Devolutions Server. The flaw resides in the entry documentation and attachment features. An authenticated user with vault read access can retrieve documentation and attachments belonging to sealed entries by issuing a crafted API request. Sealed entries are intended to restrict access to sensitive content even from users who can browse the vault, so this bypass exposes confidential reference material that administrators expected to remain protected.
Critical Impact
Authenticated users with vault read permissions can exfiltrate documentation and attachments from sealed entries, undermining the confidentiality control that sealing is designed to enforce.
Affected Products
- Devolutions Server 2026.1.6.0 through 2026.1.16.0
- Devolutions Server 2025.3.20.0 and earlier
- Devolutions Server (all builds prior to the fixed release)
Discovery Timeline
- 2026-05-22 - CVE-2026-9246 published to the National Vulnerability Database (NVD)
- 2026-05-22 - Devolutions published advisory DEVO-2026-0013
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-9246
Vulnerability Analysis
Devolutions Server implements a sealing mechanism that restricts visibility of sensitive entry content even when a user has general read access to the containing vault. The server enforces this restriction at the primary entry retrieval path. However, the API endpoints that serve entry documentation and attachments do not consistently re-check the sealed state before returning data.
An authenticated user with vault read access can therefore call the documentation or attachment endpoints directly using a known entry identifier. The response includes the protected content that would otherwise be blocked by the sealed entry control. The weakness aligns with CWE-862: Missing Authorization.
Root Cause
The root cause is missing authorization logic in the documentation and attachment retrieval code paths. The sealed-entry check is enforced on the main entry object but is not propagated to its associated child resources. As a result, authorization decisions rely on vault-level permissions alone rather than on the per-entry sealed state.
Attack Vector
Exploitation requires network access to the Devolutions Server API and valid credentials with at least read access to a vault containing sealed entries. The attacker enumerates or guesses an entry identifier and submits a crafted API request to the documentation or attachment endpoint. No user interaction or elevated privileges are required. The impact is limited to disclosure and modification of protected reference content; credential material handled by other entry types is not in scope of this advisory.
No public proof-of-concept exploit code is available. Refer to the Devolutions Security Advisory DEVO-2026-0013 for vendor technical details.
Detection Methods for CVE-2026-9246
Indicators of Compromise
- API access log entries showing requests to documentation or attachment endpoints from accounts that do not normally interact with sealed entries.
- Repeated enumeration of entry identifiers by a single authenticated session within a short time window.
- Successful HTTP 200 responses from documentation or attachment endpoints referencing entries flagged as sealed in the database.
Detection Strategies
- Review Devolutions Server audit logs for GetDocumentation and GetAttachment operations targeting sealed entries.
- Correlate user identity with vault membership to identify accounts retrieving content from entries they did not author or normally access.
- Baseline normal attachment retrieval volume per user and alert on statistical outliers.
Monitoring Recommendations
- Forward Devolutions Server audit and application logs to a centralized log platform for retention and analysis.
- Create alerts on bulk attachment downloads or sequential entry ID access patterns.
- Periodically reconcile sealed-entry access reports against the list of users authorized to view that content.
How to Mitigate CVE-2026-9246
Immediate Actions Required
- Upgrade Devolutions Server to a fixed release as listed in advisory DEVO-2026-0013.
- Review audit logs for the period preceding the upgrade to identify any unauthorized retrieval of sealed entry documentation or attachments.
- Rotate or invalidate any sensitive information that may have been exposed through sealed entry documentation or attachments.
Patch Information
Devolutions has published advisory DEVO-2026-0013 describing the fix. Administrators running Devolutions Server 2026.1.6.0 through 2026.1.16.0 or 2025.3.20.0 and earlier must update to a corrected build. Verify the running version through the administration console after the upgrade completes.
Workarounds
- Restrict vault read access to the minimum set of users that require it until the patch is deployed.
- Temporarily relocate highly sensitive documentation and attachments out of sealed entries on vulnerable servers.
- Increase audit logging verbosity and review access to sealed entries on a daily basis during the remediation window.
# Verify the installed Devolutions Server version on Windows
Get-ItemProperty "HKLM:\SOFTWARE\Devolutions\Devolutions Server" | Select-Object Version
# Review IIS logs for requests to documentation/attachment API endpoints
Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC*\*.log" `
-Pattern "/api/.*(documentation|attachment)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
