MEDIUM 4.3

CVE-2026-10787: Missing Authorization in Devolutions Server Deleted User Groups API

Devolutions Server contains a flaw in its API for managing deleted user groups that fails to properly check permissions. An authenticated user with low-level access can craft specific API requests to view metadata about deleted user groups they should not be able to see. The vulnerability requires an attacker to already have valid credentials, limiting the attack surface, but it does represent a breach of data compartmentalization within the system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-862
Affected products
2 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10787 is a missing authorization vulnerability (CWE-862) in the deleted user groups API endpoint of Devolutions Server. The API fails to enforce proper access controls, allowing an authenticated principal with low privilege level to enumerate metadata of deleted user groups through crafted requests. The vulnerability does not require user interaction and operates over the network. It affects Devolutions Server versions 2026.2.4.0 and 2026.1.20.0 and earlier. The CVSS 3.1 score of 4.3 (MEDIUM) reflects low impact to confidentiality (information about deleted groups becomes visible) combined with integrity exposure and the requirement for prior authentication.

Business impact

This vulnerability enables account enumeration and organizational structure reconnaissance within Devolutions Server deployments. An insider or compromised low-privilege account can discover which user groups have been deleted, potentially inferring team reorganizations, policy changes, or historical access control decisions. In security-sensitive environments where group deletions correlate with access revocation or incident response, this leakage could inform follow-on attacks. The requirement for valid credentials means the risk is primarily from internal threats rather than external attackers, but the ease of exploitation via API requests makes it a concern for organizations with strict data compartmentalization requirements.

Affected systems

Devolutions Server versions 2026.1.20.0 and earlier are affected, as well as 2026.2.4.0. Organizations running any release up to and including 2026.1.20.0 in the 2026.1 branch, or version 2026.2.4.0 in the 2026.2 branch, should verify their exact deployment version against vendor release notes to determine exposure.

Exploitability

Exploitation requires valid Devolutions Server credentials and network access to the API endpoint. The attack is straightforward—a low-privileged authenticated user can issue API requests to enumerate deleted group metadata without special tools or complex techniques. There is no public exploit code or active exploitation reported in the KEV (Known Exploited Vulnerabilities) catalog. The barrier to exploitation is low once credentials are obtained, making this a concern primarily for insider threats or scenarios where accounts have been compromised.

Remediation

Upgrade Devolutions Server to a patched version released by Devolutions that addresses missing authorization on the deleted user groups API. Verify the exact patched version number in the official Devolutions security advisory. In parallel, restrict API access via network segmentation and monitor API calls to the deleted user groups endpoint for anomalous enumeration patterns.

Patch guidance

Consult the Devolutions security advisory and release notes to identify the minimum patched version that remediates CWE-862 in the deleted user groups API. Apply the update to all affected Devolutions Server instances in your environment. Test the patch in a non-production environment first to confirm compatibility with dependent systems and API consumers. Verify that the authorization checks are now enforced by testing with a low-privileged account to confirm access is properly denied.

Detection guidance

Monitor Devolutions Server API logs for repeated requests to the deleted user groups endpoint originating from low-privileged accounts. Look for patterns of systematic enumeration (many requests in short time windows) or requests from unexpected client IPs. Implement alerting on API endpoints that handle sensitive organizational metadata. If you have API request logging enabled, search historical logs for calls to deleted group enumeration endpoints from accounts that should not have access.

Why prioritize this

Although the CVSS score is MEDIUM (4.3), the vulnerability should be prioritized based on your organization's sensitivity to insider threats and data compartmentalization requirements. If your Devolutions Server deployment contains sensitive deleted group metadata or if you operate in a strict zero-trust environment, treat this as a higher priority. Conversely, if your environment has strong network segmentation and API access controls, or if deleted group metadata is not considered sensitive, a standard update cycle is appropriate.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects: (1) network-accessible API requiring no user interaction (AV:N/AC:L/UI:N), (2) requirement for prior authentication (PR:L), (3) no impact to confidentiality, (4) low integrity impact (information disclosure and inability to fully trust group state), and (5) no availability impact. The score would be higher if the vulnerability enabled modification or deletion of groups, but it is limited to enumeration. The authentication requirement and low direct impact cap the severity at MEDIUM.

Frequently asked questions

Can this vulnerability be exploited without valid Devolutions Server credentials?

No. The vulnerability requires an authenticated user account. An unauthenticated attacker cannot access the vulnerable API endpoint. This limits the attack surface primarily to insider threats or scenarios where credentials have been compromised through other means.

What exactly can an attacker learn by enumerating deleted user groups?

An attacker can view metadata about deleted groups, such as group names, descriptions, creation dates, and possibly deletion timestamps or reasons. This information could reveal organizational structure changes, team reorganizations, or patterns in access control policy evolution. It does not directly grant access to group resources or credentials.

Is this vulnerability being actively exploited?

No, this vulnerability has not been added to the CISA KEV catalog and there are no public reports of active exploitation. However, the ease of exploitation via API requests means it is a concern for organizations with strict insider threat or data compartmentalization policies.

What should I do if I cannot immediately patch my Devolutions Server?

Implement compensating controls: restrict API access via firewall rules or network segmentation to trusted clients only; enable and monitor API audit logs for suspicious enumeration patterns; enforce multi-factor authentication on all Devolutions Server accounts to reduce credential compromise risk; and prioritize the patch in your next maintenance window.

This analysis is based on the published CVE details and CVSS vector available as of the modification date. Patch version numbers and specific remediation steps should be verified against the official Devolutions security advisory and release notes. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment based on their specific deployment, user base, and data sensitivity. Always test patches in a non-production environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).