CVE-2026-10787
Analyzed Analyzed - Analysis Complete

Missing Authorization in Devolutions Server API Allows Group Metadata Enumeration

Publication date: 2026-06-08

Last updated on: 2026-06-12

Assigner: Devolutions Inc.

Description
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-08
Last Modified
2026-06-12
Generated
2026-06-29
AI Q&A
2026-06-08
EPSS Evaluated
2026-06-27
NVD
CVE-2026-10787
EUVD
EUVD-2026-35183

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
devolutions devolutions_server to 2026.1.21.0 (exc)
devolutions devolutions_server 2026.2.4.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a missing authorization issue in the deleted user groups API of Devolutions Server. It allows an authenticated user with low privileges to send a specially crafted API request and enumerate metadata of deleted user groups, which they should not normally have access to.

Impact Analysis

The impact of this vulnerability is that a low-privileged authenticated user can gain unauthorized access to metadata about deleted user groups. This could potentially lead to information disclosure, which might be used to further exploit the system or understand its structure.

Mitigation Strategies

The vulnerability in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.

To mitigate this vulnerability, the recommended immediate step is to upgrade Devolutions Server to a version where this issue is fixed.

  • Upgrade to Devolutions Server version 2026.2.5.0 or higher.
  • Alternatively, upgrade to version 2026.1.21.0 or higher if using the 2026.1.x branch.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10787. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart