CVE-2026-10544
Analyzed Analyzed - Analysis Complete

Authenticated Command Execution in Devolutions Server via PAM Provider Templates

Publication date: 2026-06-08

Last updated on: 2026-06-12

Assigner: Devolutions Inc.

Description
Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-08
Last Modified
2026-06-12
Generated
2026-06-29
AI Q&A
2026-06-08
EPSS Evaluated
2026-06-27
NVD
CVE-2026-10544
EUVD
EUVD-2026-35184

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
devolutions devolutions_server to 2026.1.21.0 (exc)
devolutions devolutions_server 2026.2.4.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is caused by improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server. It allows an authenticated user who has write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider.

Impact Analysis

An attacker who is an authenticated user with write access to a vault can exploit this vulnerability to execute arbitrary commands on the managed systems. This could lead to unauthorized actions, potential system compromise, or disruption of services on those systems.

Mitigation Strategies

The vulnerability affects Devolutions Server versions 2026.2.4.0 and 2026.1.20.0 and earlier. Immediate mitigation steps include upgrading to a fixed version of Devolutions Server that addresses this issue.

However, the provided resources do not specify the exact fixed version for CVE-2026-10544. It is recommended to check official Devolutions Server updates and apply the latest patches or versions beyond 2026.2.4.0 or 2026.1.20.0.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10544. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart