CVE-2026-10544
Received
Received - Intake
Authenticated Command Execution in Devolutions Server via PAM Provider Templates
Publication date: 2026-06-08
Last updated on: 2026-06-08
Assigner: Devolutions Inc.
Description
Description
Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider.
This issue affects :
* Devolutions Server 2026.2.4.0
* Devolutions Server 2026.1.20.0 and earlier
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | server | to 2026.1.20.0 (exc) |
| devolutions | server | 2026.2.4.0 |
| devolutions | server | to 2026.2.4.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |