Primary

Context

Devolutions Server Missing Authorization Vulnerability in PAM Module Allowing OTP Secret Key and Recovery Code Access

Vulnerability

Patched

A vulnerability exists in the PAM module of Devolutions Server, specifically in versions 2026.1.6.0 through 2026.1.11.0 and Devolutions Server 2025.3.16.0 and earlier. This vulnerability arises from missing authorization, which allows an authenticated user with a PAM license but without additional permissions to access OTP secret keys and recovery codes. Exploitation can be achieved by sending crafted requests to PAM API endpoints.

Impact

Exploitation of this vulnerability allows unauthorized access to OTP secret keys and recovery codes, which could be used to bypass multi-factor authentication or gain unauthorized access to accounts.

Remediation

Users are advised to upgrade to Devolutions Server version 2026.1.12.0 or higher, or version 2025.3.18 or higher.

Added: May 12, 2026, 5:49 PM

Updated: May 12, 2026, 5:49 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

8.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Devolutions Server Missing Authorization Vulnerability in PAM Module Allowing OTP Secret Key and Recovery Code Access

Vulnerability

Impact

Remediation

Affected Products

Devolutions Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating