Description
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier
References (1)
Core 1
Core References
Scores
CVSS v3
4.3
EPSS
0.0015
EPSS Percentile
5.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (4)
devolutions/devolutions_server
2026.2.4.0
devolutions/devolutions_server
< 2026.1.21.0
Devolutions/Server
< 2026.1.20.0
Devolutions/Server
2026.2.4.0
Published
Jun 08, 2026
Tracked Since
Jun 09, 2026