CVE-2026-9248 Overview
CVE-2026-9248 is an authorization bypass vulnerability in the entry duplication feature of Devolutions Server. An authenticated user with write access to any vault can copy documentation and attachments from an entry stored in a vault they are not authorized to access. The attack requires a crafted save request directed at the duplication endpoint. The flaw maps to [CWE-639] (Authorization Bypass Through User-Controlled Key) and affects both current and earlier release branches of Devolutions Server.
Critical Impact
Authenticated users can exfiltrate documentation and attachments from restricted vaults by abusing the entry duplication workflow, bypassing vault-level access controls.
Affected Products
- Devolutions Server 2026.1.6.0 through 2026.1.16.0
- Devolutions Server 2025.3.20.0 and earlier
- Devolutions Server (all editions exposing the vault entry duplication feature)
Discovery Timeline
- 2026-05-22 - CVE-2026-9248 published to NVD
- 2026-05-22 - Last updated in NVD database
- Vendor advisory - Published as Devolutions Security Advisory DEVO-2026-0013
Technical Details for CVE-2026-9248
Vulnerability Analysis
The vulnerability resides in the entry duplication workflow of Devolutions Server. The server validates that the requesting user has write access to the destination vault. It fails to verify that the user also has read access to the source entry referenced in the save request. An authenticated user can supply a source entry identifier belonging to a vault they cannot access. The server then copies the entry's documentation and attachments into the destination vault under the attacker's control.
The issue is scoped to confidentiality. The attacker cannot modify the original entry or impact availability of the source vault. Exploitation requires authentication, write access to at least one vault, and user interaction to complete the crafted save request. Attack complexity is elevated because the attacker must enumerate or guess valid source entry identifiers.
Root Cause
The duplication handler trusts a client-supplied entry identifier without performing an authorization check against the source vault. This is a classic insecure direct object reference pattern tracked under [CWE-639]. Access control is enforced on the destination side of the operation but not the source side.
Attack Vector
The attack is conducted over the network against the Devolutions Server application. The attacker authenticates with low-privilege credentials, then issues a crafted save request to the duplication endpoint. The request references an entry identifier from a restricted vault. The server returns or persists the copied documentation and attachments into a vault the attacker controls, where the data can be read.
No verified proof-of-concept code is available. Refer to the Devolutions Security Advisory DEVO-2026-0013 for vendor technical details.
Detection Methods for CVE-2026-9248
Indicators of Compromise
- Entry duplication requests where the source entry identifier belongs to a vault the requesting user is not a member of.
- Unexpected appearance of documentation or attachments in user-owned vaults that mirror content from restricted vaults.
- Audit log entries showing duplication operations performed by accounts that have no read access to the referenced source vault.
Detection Strategies
- Review Devolutions Server audit logs for duplication or save operations and correlate the source entry identifier against the requesting user's vault membership.
- Alert on duplication API calls that reference entries outside the user's authorized vault scope.
- Compare attachment hashes and document content across vaults to identify unauthorized copies created after the vulnerability window opened.
Monitoring Recommendations
- Forward Devolutions Server application and audit logs to a centralized SIEM for retention and correlation.
- Establish a baseline of normal duplication activity per user and alert on deviations.
- Monitor for accounts with write access to low-sensitivity vaults that begin issuing duplication requests at unusual rates.
How to Mitigate CVE-2026-9248
Immediate Actions Required
- Upgrade Devolutions Server to a fixed release as published in Devolutions Security Advisory DEVO-2026-0013.
- Audit vault membership and remove unnecessary write access from accounts that do not require it.
- Review duplication and save activity in audit logs since the earliest affected version was deployed.
Patch Information
Devolutions has published guidance in advisory DEVO-2026-0013. Administrators should upgrade beyond 2026.1.16.0 for the 2026 branch and beyond 2025.3.20.0 for the 2025 branch. Verify the installed build after upgrade and re-run access control reviews.
Workarounds
- Restrict write access to vaults to the minimum set of users required for operational tasks.
- Disable or restrict use of the entry duplication feature through role permissions where feasible until the patch is applied.
- Increase audit log retention and review frequency for duplication operations during the remediation window.
# Verify installed Devolutions Server version against fixed builds
# Replace <host> with your server and confirm the version field
curl -sk https://<host>/dps/api/version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
