Primary

Context

Devolutions Server Missing Authorization Vulnerability in User Profile Update

Vulnerability

Patched

A vulnerability exists in Devolutions Server in the user profile update feature, where missing authorization allows authenticated Active Directory users to alter their own profile attributes through a manipulated API request. This issue impacts Devolutions Server versions 2026.1.6.0 to 2026.1.16.0, as well as all versions of Devolutions Server 2025.3.20.0 and earlier.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of user profile attributes, potentially allowing users to escalate privileges or gain access to sensitive information.

Remediation

Users are advised to upgrade to Devolutions Server version 2026.1.19.0 or higher, or 2025.3.22.0 or higher.

Added: May 26, 2026, 3:38 PM

Updated: May 26, 2026, 3:38 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

3.9

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

3.9

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Devolutions Server Missing Authorization Vulnerability in User Profile Update

Vulnerability

Impact

Remediation

Affected Products

Devolutions Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating