CVE-2026-9522
Improper Access Control in Devolutions Server
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Devolutions Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | server | to 2026.1.19 (exc) |
| devolutions | server | to 2026.2.4 (exc) |
| devolutions | server | From 2026.1.20 (inc) |
| devolutions | server | From 2026.2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9522 is a medium-severity vulnerability in Devolutions Server versions 2026.1.19 and earlier. It involves improper access control in the PAM (Privileged Access Management) account discovery feature. Specifically, an authenticated user who does not have administrative privileges can delete network discovery scan configurations.
How can this vulnerability impact me? :
This vulnerability allows a user with low privileges but authenticated access to delete network discovery scan configurations. This could disrupt network management and monitoring activities, potentially leading to gaps in network visibility and security oversight.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Devolutions Server to version 2026.2.4 or later, or at least to version 2026.1.20 or later.