CVE-2026-6706
Received Received - Intake

Improper Access Control in Devolutions Server Vault Documentation

Vulnerability report for CVE-2026-6706, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-28

Last updated on: 2026-05-04

Assigner: Devolutions Inc.

Description

Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-28
Last Modified
2026-05-04
Generated
2026-07-06
AI Q&A
2026-04-28
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
devolutions devolutions_server to 2025.3.19.0 (exc)
devolutions devolutions_server From 2026.1.6.0 (inc) to 2026.1.15.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves an authenticated attacker sending a crafted API request to read documentation content from unauthorized vaults. Detection would involve monitoring for unusual or unauthorized API requests targeting the vault documentation feature.

Specifically, you can inspect network traffic or server logs for API requests that access vault documentation endpoints without proper authorization.

Since the vulnerability requires authentication but low privileges, commands or tools that analyze API request logs or network captures for suspicious access patterns to vault documentation could help detect exploitation attempts.

However, no specific detection commands or signatures are provided in the available information.

Compliance Impact

The vulnerability allows an authenticated attacker to read documentation content from unauthorized vaults due to improper access control. This unauthorized data access could potentially lead to exposure of sensitive information.

Such unauthorized access to data may impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect sensitive information and prevent unauthorized disclosure.

However, the provided information does not explicitly state the nature of the documentation content or whether it includes personal or protected health information, so the exact compliance impact cannot be determined from the available data.

Mitigation Strategies

The recommended immediate mitigation is to upgrade Devolutions Server to version 2026.1.15.0 or later, which addresses this improper access control vulnerability.

Executive Summary

CVE-2026-6706 is an improper access control vulnerability in the vault documentation feature of Devolutions Server versions 2026.1.14.0 and earlier.

This vulnerability allows an authenticated attacker to read documentation content from vaults they are not authorized to access by sending a specially crafted API request.

Impact Analysis

An attacker with valid authentication can exploit this vulnerability to access confidential documentation stored in unauthorized vaults.

This could lead to unauthorized disclosure of sensitive information, potentially compromising confidentiality.

The vulnerability has a CVSS v3.1 base score of 4.3 (Medium severity), indicating a moderate risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6706. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart