CVE-2026-3221
Received
Received - Intake
Unencrypted User Data Exposure in Devolutions Server Database
Vulnerability report for CVE-2026-3221, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-02-25
Last updated on: 2026-02-28
Assigner: Devolutions Inc.
Description
Description
Sensitive
user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with
access to the database to obtain sensitive user
information via direct database access.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | devolutions_server | to 2025.3.15.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |