CVE-2026-8407

MEDIUM

Devolutions Server 2025.3.16.0 and earlier, 2026.1.6.0-2026.1.11.0 - Authenticated Missing Authorization in PAM Module

Title source: llm

Description

Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.11.0 * Devolutions Server 2025.3.16.0 and earlier

References (1)

Core 1

Core References

https://devolutions.net/security/advisories/DEVO-2026-0010/

Scores

CVSS v3 4.3

EPSS 0.0020

EPSS Percentile 9.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (3)

devolutions/devolutions_server < 2025.3.18.0

Devolutions/Server < 2025.3.16.0

Devolutions/Server 2026.1.6.0 - 2026.1.11.0

Published May 12, 2026

Tracked Since May 12, 2026