An improper access control vulnerability in Devolutions Server, tracked as CVE-2026-9590, allows authenticated users with entry edit privileges to modify asset information without the required authorisation. The vulnerability carries a CVSS score of 5.3 and affects Devolutions Server versions up to 2026.1.19. The fix is available in version 2026.1.20.0.
What Is the Vulnerability?
CVE-2026-9590 is an improper access control vulnerability in the permission validation component of Devolutions Server — the self-hosted privileged access management (PAM) platform used by organisations to manage, store, and control access to credentials, secrets, and privileged sessions. The vulnerability allows an authenticated user who has been granted entry edit privileges — but not the specific permission to modify certain asset information — to bypass the permission check and modify asset data they should not have access to.
The practical impact is that a user with limited editing privileges — intended to allow them to update only specific entries or fields — can escalate their effective access by modifying asset information outside their authorised scope. In a PAM context, this could mean modifying credentials metadata, connection details, or access policies associated with privileged accounts, creating a pathway to expanded access within the managed environment.
The vulnerability is classified under CWE-284 (Improper Access Control):
- CVSS v3.1 Score: 5.3 (Medium)
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: Low (PR:L)
- User Interaction: None (UI:N)
- Impact: None on confidentiality, low on integrity, none on availability (C:N/I:L/A:N)
Which Versions Are Affected?
The vulnerability affects Devolutions Server:
- Devolutions Server 2026.1.19 and all earlier versions
The fix was released in Devolutions Server 2026.1.20.0.
Is It Being Exploited in the Wild?
No active exploitation has been publicly reported. The vulnerability requires authenticated access with existing edit privileges, which limits the attack surface compared to unauthenticated vulnerabilities. However, Devolutions Server is a PAM platform — it manages privileged credentials and secrets. Any vulnerability that allows permission bypass within a PAM system should be treated seriously, as the potential blast radius of compromised privileged credentials is high.
What Is the Fix?
Devolutions has released a fix in version 2026.1.20.0. The official advisory is available at:
https://devolutions.net/security/advisories/DEVO-2026-0014/
Update Devolutions Server to version 2026.1.20.0 or later via the Devolutions update mechanism.
Recommendations
Update Devolutions Server to 2026.1.20.0. While the CVSS score is medium and exploitation requires authenticated access, the platform’s role as a privileged access management system means permission bypass vulnerabilities should be addressed promptly. The update is a minor version increment and should be deployable with minimal testing overhead.
Review asset modification logs. After updating, review Devolutions Server audit logs for asset modifications performed by users who should not have had permission to modify those specific assets. Look for modifications to credential entries, connection details, or access policies by users whose role does not normally include those permissions.
Audit user permissions. Use this vulnerability as an opportunity to review the permission model in your Devolutions Server deployment. Ensure that the principle of least privilege is applied — users should have only the entry edit permissions they genuinely need, and sensitive assets should have additional access controls beyond the default permission model.
References
- Devolutions Security Advisory — DEVO-2026-0014
- NVD: CVE-2026-9590
- Vulnerability Intelligence Report — June 3, 2026
This advisory is covered in the broader Vulnerability Intelligence Report — June 3, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.
