MEDIUM 6.5

CVE-2026-10786: Devolutions Server Credential Disclosure via Improper Access Control

A flaw in Devolutions Server's ticketing integration settings allows authenticated users with low-level permissions to retrieve cleartext credentials for third-party ticketing systems through a specially crafted API request. An attacker with basic user access could exploit this to obtain sensitive integration credentials without proper authorization checks, potentially enabling lateral movement or unauthorized access to connected ticketing platforms.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-312
Affected products
2 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10786 is an improper access control vulnerability (CWE-312) in Devolutions Server's API layer governing ticketing integration configuration. The vulnerability stems from insufficient authorization validation when processing requests to retrieve credential material associated with configured ticketing integrations. A low-privileged authenticated user can bypass intended access controls and obtain cleartext credentials via a crafted API request. The CVSS 3.1 score of 6.5 (MEDIUM) reflects high confidentiality impact with no integrity or availability risk, and a relatively low attack complexity requiring only network access and valid authentication.

Business impact

Exposure of ticketing system credentials could enable attackers to impersonate legitimate integrations, access sensitive tickets or user information in connected platforms, or pivot to downstream systems. For organizations using Devolutions Server as a credential management and access control layer, this represents a weakening of the overall security posture—particularly concerning if ticketing integrations connect to customer-facing or critical infrastructure systems. The impact is primarily confidentiality-driven but could lead to secondary compromises depending on the sensitivity of the integrated ticketing environment.

Affected systems

Devolutions Server versions 2026.1.20.0 and earlier are affected, as is version 2026.2.4.0. Organizations running any build within the 2026.1.x line up to and including 2026.1.20.0, or specifically 2026.2.4.0, should assess their exposure immediately. Earlier major versions (2025.x and prior) are not mentioned in the advisory and should be verified against the official Devolutions security guidance.

Exploitability

Exploitability is moderate. The attack requires valid authentication and low-privileged user credentials—a realistic scenario in multi-user Devolutions deployments where junior staff, contractors, or service accounts have basic access. No special user interaction, complex configuration, or timing is needed; a straightforward API call is sufficient. However, the attacker must already have valid login credentials, which raises the bar slightly compared to unauthenticated attacks. No public exploit code or KEV listing is currently known.

Remediation

Apply the latest patched version of Devolutions Server. Verify the specific patch version from the official Devolutions security advisory, as version numbers must be confirmed directly from vendor releases. In the interim, organizations should review access control policies for ticketing integration settings and consider restricting API access to those accounts that absolutely require it. Audit logs should be checked for any suspicious API requests targeting credential endpoints.

Patch guidance

Consult the official Devolutions Server security advisory to identify the specific patched version that resolves CVE-2026-10786. Versions earlier than the recommended patch should be upgraded. Test the patch in a non-production environment first, as ticketing integrations may be business-critical. Verify that post-patch, low-privileged users can no longer access integration credentials via the API. Consider scheduling upgrades during a maintenance window to avoid disruption to integrated ticketing workflows.

Detection guidance

Monitor API access logs for unusual requests to ticketing integration endpoints, particularly from low-privileged user accounts or service accounts that do not typically manage integrations. Look for repeated or failed attempts to retrieve credential data through the Devolutions Server API. Implement alerting for any API calls that attempt to access or enumerate ticketing configuration secrets. Network-based monitoring can flag unusual outbound connections from the Devolutions Server if compromised credentials are used externally.

Why prioritize this

Although the CVSS score is MEDIUM, this vulnerability warrants prompt remediation due to the nature of credential exposure. Devolutions Server is often deployed in environments handling sensitive access credentials, and any weakness in access control for stored secrets compounds downstream risk. The attack requires only basic user access, making it accessible to a broad range of potential internal or compromised accounts. Prioritize patching based on your organization's exposure to Devolutions Server and the sensitivity of integrated ticketing systems.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a high-confidentiality impact (cleartext credential disclosure) combined with low attack complexity and no integrity or availability impact. The 'low-privileged user' requirement elevates the attack complexity slightly and prevents a higher severity rating, but does not materially reduce the risk in environments where multiple staff or service accounts have basic Devolutions access. Organizations managing sensitive data or critical integrations should treat this as higher-risk despite the MEDIUM label.

Frequently asked questions

Can an attacker without any Devolutions Server access exploit this?

No. The vulnerability requires valid authentication and at least low-level user permissions. An attacker must have a legitimate user account or compromised credentials to attempt the exploit.

Will patching affect my existing ticketing integrations?

Patching should not disrupt ticketing integrations themselves; it only tightens access control around credential retrieval. Test in a non-production environment to confirm compatibility before deploying to production.

How can I check if my Devolutions Server was exploited?

Review API audit logs for requests to ticketing integration endpoints from unexpected user accounts, particularly around the modification dates shown in the advisory. Cross-reference with user access records and known administrative activities. Consider credential rotation for all ticketing integrations as a precaution.

What is CWE-312 and why does it matter?

CWE-312 is 'Cleartext Storage of Sensitive Information.' In this case, the vulnerability allows improper access to cleartext credentials that should be protected. This flaw emphasizes the importance of both encryption and robust access controls around stored secrets.

This analysis is based on publicly available vulnerability data current as of the advisory publication date. Specific patch versions, affected build numbers, and remediation steps must be verified against the official Devolutions security advisory before deployment. Security assessments and patch decisions should account for your organization's specific Devolutions Server configuration, integrated systems, and risk tolerance. SEC.co and its analysts make no warranties regarding the completeness or applicability of this guidance to your environment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).