CVE-2026-4989 - AskarLabs CVE Database

CVE-2026-4989

Vendor Devolutions

Product Server

Weakness CWE-918 · SSRF

Published April 1, 2026

Last update April 1, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request. This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.

Key dates

02Disclosure timeline

April 1, 2026 CVE published

April 1, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-4989 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2024-40632 Linkerd potential access to the shutdown endpoint CVE-2025-58615 WordPress WP Bannerize Pro Plugin <= 1.10.0 - Server Side Request Forgery (SSRF) Vulnerability CVE-2025-58641 WordPress Exit Intent Popup Plugin <= 1.0.1 - Server Side Request Forgery (SSRF) Vulnerability CVE-2026-31818 Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist CVE-2026-48148 Budibase: Unvalidated VectorDB Host Parameter Enables SSRF

Identifiers

CVE CVE-2026-4989

CWE CWE-918

Affected versions

Vendor Devolutions

Product Server

Affected ≥ 2026.1.1 and ≤ 2026.1.11

Vendor Devolutions

Product Server

Affected ≥ 2025.3.1 and ≤ 2025.3.17