CVE-2026-9522
Analyzed Analyzed - Analysis Complete
Improper Access Control in Devolutions Server

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: Devolutions Inc.

Description
Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-21
NVD
CVE-2026-9522
EUVD
EUVD-2026-33937
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devolutions devolutions_server to 2026.1.20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability affects Devolutions Server versions 2026.1.19 and earlier, specifically allowing an authenticated user without administrative privileges to delete network discovery scan configurations via the PAM account discovery feature.

To detect if your system is vulnerable, first verify the version of Devolutions Server running on your system. If it is version 2026.1.19 or earlier, it is potentially vulnerable.

You can check the installed version by running a command similar to:

  • On the server hosting Devolutions Server, run: `devolutions-server --version` or check the application version via its management interface.

Additionally, to detect if unauthorized deletion of network discovery scan configurations has occurred, review audit logs or system logs for changes related to network discovery configurations.

  • Check logs for deletion events or configuration changes related to network discovery scans.

Since the vulnerability requires authentication but no administrative privileges, monitoring user activities and access logs for unusual deletion actions by non-admin users can help detect exploitation.

Executive Summary

CVE-2026-9522 is a medium-severity vulnerability in Devolutions Server versions 2026.1.19 and earlier. It involves improper access control in the PAM (Privileged Access Management) account discovery feature. Specifically, an authenticated user who does not have administrative privileges can delete network discovery scan configurations.

Impact Analysis

This vulnerability allows a user with low privileges but authenticated access to delete network discovery scan configurations. This could disrupt network management and monitoring activities, potentially leading to gaps in network visibility and security oversight.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Devolutions Server to version 2026.2.4 or later, or at least to version 2026.1.20 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart