CVE-2026-9247 Overview
CVE-2026-9247 is an insufficient logging vulnerability [CWE-778] in the entry export feature of Devolutions Server. An authenticated user with export permissions can export a sealed entry through a crafted export request without triggering the unseal notification sent to administrators. The flaw undermines audit visibility around sealed entries, which are intended to require explicit unseal events that alert privileged staff.
Critical Impact
Authenticated operators with export rights can exfiltrate sealed entry contents while bypassing administrator unseal notifications, weakening accountability and detection of privileged data access.
Affected Products
- Devolutions Server 2026.1.6.0 through 2026.1.16.0
- Devolutions Server 2025.3.20.0 and earlier
- Vendor: Devolutions
Discovery Timeline
- 2026-05-22 - CVE CVE-2026-9247 published to NVD
- 2026-05-22 - Last updated in NVD database
- Vendor advisory - Published as Devolutions Security Advisory DEVO-2026-0013
Technical Details for CVE-2026-9247
Vulnerability Analysis
Devolutions Server allows administrators to mark sensitive entries as sealed. Sealed entries require an unseal action, which generates a notification to administrators so privileged access to secrets remains auditable. The export feature bypasses this control. When an authenticated user with export permissions issues a crafted export request, the server returns the sealed entry data without producing the unseal notification expected by administrators.
The weakness is classified under [CWE-778] Insufficient Logging. The export code path does not emit the same security-relevant audit event that the unseal flow produces, so the action escapes administrative monitoring. The attack requires network access, high privileges, and user interaction, and impacts integrity of audit data rather than confidentiality of the system as a whole.
The EPSS score for this issue is 0.032%, reflecting low expected exploitation activity, and no public proof-of-concept or known exploitation has been reported.
Root Cause
The export feature does not invoke the unseal audit and notification logic that gates direct sealed-entry access. Logging coverage across the two data-egress paths is asymmetric, allowing the export path to act as an unmonitored channel for sealed data.
Attack Vector
An authenticated account with export permissions submits a crafted export request targeting one or more sealed entries. The server processes the request, returns the entry data, and omits the unseal notification. Administrators do not receive the alert they would normally see when sealed entries are accessed, allowing the activity to go undetected through normal monitoring.
No public exploitation code is available. The vulnerability is exploitable only by authenticated users with the specific export privilege, limiting the practical attacker population to insiders or compromised privileged accounts.
Detection Methods for CVE-2026-9247
Indicators of Compromise
- Export operations performed by accounts that hold export permissions against vaults or entries known to contain sealed items.
- Absence of corresponding unseal notification events for sealed entries that have been accessed or removed from the environment.
- Sealed entry content appearing in downstream systems or backups without a matching unseal audit record.
Detection Strategies
- Correlate Devolutions Server export events with sealed-entry inventories to identify exports that touched sealed items without a paired unseal event.
- Baseline normal export volume and cadence per user, and alert on deviations involving privileged vaults.
- Review access logs for crafted or non-standard export API requests originating from accounts with export permissions.
Monitoring Recommendations
- Forward Devolutions Server audit logs to a centralized SIEM for cross-event correlation between export, unseal, and entry-read activity.
- Alert administrators directly on any export activity targeting vaults that contain sealed entries until the patched version is deployed.
- Periodically reconcile sealed-entry access reports against administrator notification history to surface gaps.
How to Mitigate CVE-2026-9247
Immediate Actions Required
- Upgrade Devolutions Server to a fixed release as identified in Devolutions Security Advisory DEVO-2026-0013.
- Audit which accounts hold the export permission and revoke it from users who do not require it.
- Review recent export activity against sealed entries and confirm whether corresponding unseal notifications were generated.
Patch Information
Devolutions has published guidance and fixed builds in the Devolutions Security Advisory DEVO-2026-0013. Affected installations include Devolutions Server 2026.1.6.0 through 2026.1.16.0 and Devolutions Server 2025.3.20.0 and earlier. Administrators should consult the advisory for the specific fixed version applicable to their deployment branch and apply the update following standard change-control procedures.
Workarounds
- Restrict the export permission to a minimal set of trusted administrators until patching is complete.
- Enable additional alerting on all export operations and treat them as high-signal events pending remediation.
- Move highly sensitive entries into vaults whose membership is limited to accounts that do not hold export rights.
# Configuration example
# Review accounts and roles holding export permissions in Devolutions Server
# 1. Sign in to the Devolutions Server web interface as an administrator
# 2. Navigate to: Administration > Roles
# 3. For each role, inspect the "Export" permission and remove it where not required
# 4. Navigate to: Administration > Users and confirm role assignments
# 5. Enable export-related audit alerts under: Administration > Notifications
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
