CVE-2026-6706
Received Received - Intake
Improper Access Control in Devolutions Server Vault Documentation

Publication date: 2026-04-28

Last updated on: 2026-05-04

Assigner: Devolutions Inc.

Description
Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6706
EUVD
EUVD-2026-26049
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
devolutions devolutions_server to 2025.3.19.0 (exc)
devolutions devolutions_server From 2026.1.6.0 (inc) to 2026.1.15.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated attacker to read documentation content from unauthorized vaults due to improper access control. This unauthorized data access could potentially lead to exposure of sensitive information.

Such unauthorized access to data may impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect sensitive information and prevent unauthorized disclosure.

However, the provided information does not explicitly state the nature of the documentation content or whether it includes personal or protected health information, so the exact compliance impact cannot be determined from the available data.

Detection Guidance

This vulnerability involves an authenticated attacker sending a crafted API request to read documentation content from unauthorized vaults. Detection would involve monitoring for unusual or unauthorized API requests targeting the vault documentation feature.

Specifically, you can inspect network traffic or server logs for API requests that access vault documentation endpoints without proper authorization.

Since the vulnerability requires authentication but low privileges, commands or tools that analyze API request logs or network captures for suspicious access patterns to vault documentation could help detect exploitation attempts.

However, no specific detection commands or signatures are provided in the available information.

Mitigation Strategies

The recommended immediate mitigation is to upgrade Devolutions Server to version 2026.1.15.0 or later, which addresses this improper access control vulnerability.

Executive Summary

CVE-2026-6706 is an improper access control vulnerability in the vault documentation feature of Devolutions Server versions 2026.1.14.0 and earlier.

This vulnerability allows an authenticated attacker to read documentation content from vaults they are not authorized to access by sending a specially crafted API request.

Impact Analysis

An attacker with valid authentication can exploit this vulnerability to access confidential documentation stored in unauthorized vaults.

This could lead to unauthorized disclosure of sensitive information, potentially compromising confidentiality.

The vulnerability has a CVSS v3.1 base score of 4.3 (Medium severity), indicating a moderate risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6706. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart