CVE-2026-6706
Improper Access Control in Devolutions Server Vault Documentation
Publication date: 2026-04-28
Last updated on: 2026-05-04
Assigner: Devolutions Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | devolutions_server | to 2025.3.19.0 (exc) |
| devolutions | devolutions_server | From 2026.1.6.0 (inc) to 2026.1.15.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authenticated attacker sending a crafted API request to read documentation content from unauthorized vaults. Detection would involve monitoring for unusual or unauthorized API requests targeting the vault documentation feature.
Specifically, you can inspect network traffic or server logs for API requests that access vault documentation endpoints without proper authorization.
Since the vulnerability requires authentication but low privileges, commands or tools that analyze API request logs or network captures for suspicious access patterns to vault documentation could help detect exploitation attempts.
However, no specific detection commands or signatures are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade Devolutions Server to version 2026.1.15.0 or later, which addresses this improper access control vulnerability.
Can you explain this vulnerability to me?
CVE-2026-6706 is an improper access control vulnerability in the vault documentation feature of Devolutions Server versions 2026.1.14.0 and earlier.
This vulnerability allows an authenticated attacker to read documentation content from vaults they are not authorized to access by sending a specially crafted API request.
How can this vulnerability impact me? :
An attacker with valid authentication can exploit this vulnerability to access confidential documentation stored in unauthorized vaults.
This could lead to unauthorized disclosure of sensitive information, potentially compromising confidentiality.
The vulnerability has a CVSS v3.1 base score of 4.3 (Medium severity), indicating a moderate risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to read documentation content from unauthorized vaults due to improper access control. This unauthorized data access could potentially lead to exposure of sensitive information.
Such unauthorized access to data may impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect sensitive information and prevent unauthorized disclosure.
However, the provided information does not explicitly state the nature of the documentation content or whether it includes personal or protected health information, so the exact compliance impact cannot be determined from the available data.