CVE-2026-9522: Improper Access Control in Devolutions Server PAM Discovery
Devolutions Server versions 2026.1.19 and earlier contain an access control weakness in the PAM (Privileged Access Management) account discovery feature. An authenticated user without admin rights can delete network discovery scan configurations that they shouldn't be able to modify. This means non-privileged users can disrupt the organization's ability to discover and inventory network accounts, potentially hindering PAM operations and compliance visibility.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9522 stems from improper access control (CWE-284) in Devolutions Server's PAM account discovery module. The vulnerability allows any authenticated user to perform deletion operations on network discovery scan configurations regardless of their privilege level. The CVSS 3.1 score of 5.4 (MEDIUM) reflects low confidentiality and integrity impact without availability impact—users can view and modify configurations they should not access, but the system itself remains operational. The network-accessible attack vector and low complexity mean exploitation requires only valid credentials and no user interaction.
Business impact
Organizations relying on Devolutions Server for PAM and account discovery face operational disruption and compliance risk. Malicious or negligent non-admin users can delete scan configurations, preventing discovery of privileged accounts and breaking automated inventory processes. This can lead to incomplete asset visibility, delayed vulnerability assessments, and audit failures if regulatory frameworks require comprehensive account tracking. Additionally, recovery of deleted configurations consumes administrative time and may leave windows of unmonitored access.
Affected systems
Devolutions Server versions 2026.1.19 and earlier are affected. Organizations should verify their exact version and check the vendor advisory for patched versions. The vulnerability requires valid authentication, so it does not affect unauthenticated or internet-facing attack scenarios where no credentials are available.
Exploitability
Exploitation is straightforward and requires only valid user credentials with low or no privilege level. No exploit code or sophisticated techniques are needed—any authenticated non-admin user can access the PAM discovery interface and delete scan configurations through normal UI or API interactions. The lack of KEV (Known Exploited Vulnerabilities) status indicates no public active exploitation has been documented, but the low technical barrier means defenders should assume eventual weaponization if patches are delayed.
Remediation
Update Devolutions Server to the patched version specified in the vendor security advisory. Verify the exact patched version against Devolutions' official guidance before deployment. As an interim control, restrict PAM account discovery feature access to administrative users only via role-based access control (RBAC) if the product permits temporary scope narrowing. Audit logs to identify any unauthorized deletion of scan configurations and restore them from backup if available.
Patch guidance
Consult the Devolutions security advisory for the specific patched version addressing CVE-2026-9522. Apply patches in a test environment first to verify compatibility with your PAM workflows and integrations. Given the MEDIUM severity, plan patching within your standard update cycle, but prioritize systems where non-admin users have broad access to the discovery feature. Document any pre-patch configurations and consider backup restoration procedures.
Detection guidance
Monitor Devolutions Server audit logs for deletion events on network discovery scan configurations, particularly those initiated by non-administrative users. Alert on any configuration changes to the PAM account discovery module from unexpected accounts. If available, enable detailed access control logging within Devolutions Server to track privilege escalation attempts or unauthorized configuration modifications. Review user access permissions to the account discovery feature and cross-reference against expected role assignments.
Why prioritize this
While rated MEDIUM severity with a CVSS score of 5.4, this vulnerability merits near-term attention because it directly impacts PAM hygiene and compliance. Unlike purely confidentiality-focused issues, the ability to delete discovery configurations creates operational risk—audit trails may show missing accounts, and attackers could hide privileged accounts by disrupting scans. Organizations with mature PAM programs and regulatory requirements (SOX, HIPAA, PCI-DSS) should treat this with higher urgency despite the moderate score.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects the following: (1) Network-accessible attack vector with low complexity and low privilege requirements keep the score from 'LOW', (2) Confidentiality and integrity impact are rated 'LOW' because deletion affects configurations, not direct exposure of sensitive data, (3) No availability impact is assigned because scan deletions do not crash the server or deny service to other users. The score appropriately captures a privilege boundary bypass with operational consequences but no critical infrastructure disruption.
Frequently asked questions
Can an attacker exploit this remotely without being inside our network?
No. The vulnerability requires valid authentication credentials. An attacker must be a user with legitimate access to Devolutions Server. However, if your server is internet-facing or accessible via VPN, any employee or contractor with credentials becomes a potential vector.
What happens if scan configurations are deleted—can we recover them?
Deleted configurations are typically gone unless you maintain backups of the Devolutions Server database. Recovery depends on your backup strategy. Restoration is possible but time-consuming and may leave gaps in account discovery during the outage. This underscores why timely patching and access control restrictions are important.
Does this vulnerability allow attackers to steal passwords or access privileged accounts directly?
No. The vulnerability is limited to deleting discovery scan configurations. It does not grant access to stored credentials, account databases, or privileged session functionality. However, by disrupting discovery scans, an attacker could hide the presence of certain accounts from auditors and administrators.
Is this in the CISA KEV catalog and subject to federal patching mandates?
No. As of the current data, CVE-2026-9522 is not listed in the CISA Known Exploited Vulnerabilities catalog. However, organizations subject to federal compliance requirements should still prioritize patching based on their internal risk assessments and any vendor guidance.
This analysis is provided for informational purposes and based on CVE data available as of the publication date. Verify all patch version numbers and compatibility against the official Devolutions security advisory before deployment. CVSS scores and severity ratings are subject to update by NIST or the vulnerability source. Organizations should conduct their own risk assessment based on their specific deployment, user base, and regulatory requirements. No liability is assumed for inaccuracies or omissions in this summary. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-9590MEDIUMDevolutions Server Improper Access Control Vulnerability
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy