CVE-2026-10787
Received Received - Intake
Missing Authorization in Devolutions Server API Allows Group Metadata Enumeration

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: Devolutions Inc.

Description
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-10787
EUVD
EUVD-2026-35183
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
devolutions server 2026.2.4.0
devolutions server to 2026.1.20.0 (exc)
devolutions server 2026.1.20.0
devolutions server to 2026.2.5.0 (exc)
devolutions server to 2026.1.21.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a missing authorization issue in the deleted user groups API of Devolutions Server. It allows an authenticated user with low privileges to send a specially crafted API request and enumerate metadata of deleted user groups, which they should not normally have access to.

Impact Analysis

The impact of this vulnerability is that a low-privileged authenticated user can gain unauthorized access to metadata about deleted user groups. This could potentially lead to information disclosure, which might be used to further exploit the system or understand its structure.

Mitigation Strategies

The vulnerability in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.

To mitigate this vulnerability, the recommended immediate step is to upgrade Devolutions Server to a version where this issue is fixed.

  • Upgrade to Devolutions Server version 2026.2.5.0 or higher.
  • Alternatively, upgrade to version 2026.1.21.0 or higher if using the 2026.1.x branch.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10787. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart