Primary

Context

Devolutions Server Missing Authorization Vulnerability in Deleted User Groups API

Vulnerability

Patched

A vulnerability exists in the Devolutions Server deleted user groups API, where missing authorization allows an authenticated low-privileged user to enumerate metadata of deleted user groups through a crafted API request. This issue affects Devolutions Server versions 2026.2.4.0, 2026.1.20.0 and earlier.

Impact

Exploitation of this vulnerability allows for unauthorized enumeration of metadata related to deleted user groups.

Remediation

Users are advised to upgrade to Devolutions Server version 2026.2.5.0 or higher, or version 2026.1.21.0 or higher.

Added: Jun 8, 2026, 7:27 PM

Updated: Jun 8, 2026, 7:27 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

9.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

9.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Devolutions Server Missing Authorization Vulnerability in Deleted User Groups API

Vulnerability

Impact

Remediation

Affected Products

Devolutions Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating