CVE-2026-2590
Improper Access Control in Devolutions RDM Vaults Allows Credential Persistence
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: Devolutions Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | remote_desktop_manager | to 2025.3.30.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves improper enforcement of the 'Disable password saving in vaults' setting in the connection entry component of Devolutions Remote Desktop Manager version 2025.3.30 and earlier.
An authenticated user can bypass this setting and persist credentials in vault entries by creating or editing certain connection types, even when password saving is supposed to be disabled.
This means that passwords can be saved unintentionally, potentially exposing sensitive information.
How can this vulnerability impact me? :
The vulnerability can allow an authenticated user to save credentials in vault entries despite the setting to disable password saving.
This could lead to sensitive information, such as passwords, being exposed to other users who have access to the vault entries.
As a result, unauthorized users might gain access to credentials they should not have, increasing the risk of unauthorized access to systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know