Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-9590

CVE-2026-9590: Devolutions Server Auth Bypass Vulnerability

CVE-2026-9590 is an authentication bypass flaw in Devolutions Server that allows authenticated users to modify assets without proper permissions. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-9590 Overview

CVE-2026-9590 is an improper access control vulnerability [CWE-284] in the permission validation component of Devolutions Server. The flaw affects Devolutions Server version 2026.1.19 and earlier. An authenticated user holding entry edit privileges can modify asset information without holding the dedicated permission required for that action. The issue stems from incomplete authorization enforcement when the server processes asset modification requests.

Critical Impact

Authenticated users with limited entry edit rights can alter asset records in Devolutions Server, undermining the integrity of stored asset data and bypassing the platform's permission model.

Affected Products

  • Devolutions Server 2026.1.19 and earlier
  • Devolutions Server permission validation component
  • Deployments exposing entry edit privileges to standard authenticated users

Discovery Timeline

  • 2026-06-02 - CVE-2026-9590 published to NVD
  • 2026-06-02 - Last updated in NVD database
  • 2026-06-02 - Devolutions publishes advisory DEVO-2026-0014

Technical Details for CVE-2026-9590

Vulnerability Analysis

The vulnerability resides in the permission validation logic that gates asset modification operations within Devolutions Server. The server treats the entry edit privilege as sufficient to authorize changes to asset attributes attached to those entries. The dedicated asset modification permission is not enforced on the relevant code path. As a result, the authorization decision diverges from the intended permission model defined in the product documentation.

An authenticated user submits an asset update request over the network. The server validates the user's entry edit privilege and accepts the request. The check for the separate asset edit permission is missing, so the modification proceeds. The vulnerability impacts data integrity but does not expose confidential data or affect availability of the service.

For full technical context, refer to the Devolutions Security Advisory DEVO-2026-0014.

Root Cause

The root cause is missing authorization [CWE-284] in the asset modification request handler. The handler relies on a coarse-grained privilege check rather than verifying every permission required by the underlying operation. This is a logic flaw in the permission validation component, not a memory safety or injection issue.

Attack Vector

The attack vector is network-based and requires valid authenticated credentials with entry edit privileges. No user interaction is needed beyond the attacker's own session. The attacker submits a crafted asset modification request to the server API. The server processes the request without enforcing the asset edit permission, and the change is committed.

No public proof-of-concept code is available for CVE-2026-9590. The vendor advisory describes the issue in prose and provides patched version information.

Detection Methods for CVE-2026-9590

Indicators of Compromise

  • Asset records modified by accounts that do not hold the asset edit permission in the Devolutions Server role configuration.
  • Audit log entries showing asset attribute changes attributed to users whose role grants only entry edit rights.
  • Discrepancies between expected asset ownership or metadata and the values persisted in the Devolutions Server database.

Detection Strategies

  • Review Devolutions Server audit logs for asset modification events and cross-reference the acting user's effective permissions.
  • Baseline asset metadata and compare against current values to identify unauthorized changes.
  • Alert on asset update API calls originating from accounts that should not have asset modification authority.

Monitoring Recommendations

  • Forward Devolutions Server audit logs to a centralized log platform for retention and correlation.
  • Track changes to high-value asset records, including credentials, secrets, and infrastructure entries.
  • Periodically reconcile role definitions against actual modification activity to detect privilege drift.

How to Mitigate CVE-2026-9590

Immediate Actions Required

  • Upgrade Devolutions Server to a version later than 2026.1.19 as specified in DEVO-2026-0014.
  • Audit existing role assignments and remove entry edit privileges from accounts that do not require them.
  • Review recent asset modifications and revert any unauthorized changes identified during the audit.

Patch Information

Devolutions has published a fixed release referenced in the Devolutions Security Advisory DEVO-2026-0014. Administrators should consult the advisory for the exact patched build number and apply the update following the vendor's upgrade procedure.

Workarounds

  • Restrict entry edit privileges to trusted users until the patch is applied.
  • Enable and monitor audit logging on the Devolutions Server instance to detect unauthorized asset modifications.
  • Limit network access to the Devolutions Server administrative interfaces to known administrative subnets.
bash
# Verify the installed Devolutions Server version against the patched release
# Replace with the build number listed in DEVO-2026-0014
Get-ItemProperty "HKLM:\SOFTWARE\Devolutions\Devolutions Server" | Select-Object DisplayVersion

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne