CVE-2026-5146 - AskarLabs CVE Database

CVE-2026-5146

Vendor Devolutions

Product Server

Weakness CWE-862 · Missing authorization

Published May 12, 2026

Last update May 13, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier

Key dates

02Disclosure timeline

May 12, 2026 CVE published

May 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-5146 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-49248 WordPress Team Showcase plugin < 25.05.13 - Broken Access Control Vulnerability CVE-2025-7717 File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089 CVE-2025-24679 WordPress Internal Links Manager plugin <= 2.5.2 - Broken Access Control vulnerability CVE-2023-53923 UliCMS 2023.1 Privilege Escalation via Unauthenticated Admin Account Creation CVE-2025-40837 Ericsson Indoor Connect 8855 - Missing Authorization Vulnerability

Identifiers

CVE CVE-2026-5146

CWE CWE-862

Affected versions

Vendor Devolutions

Product Server

Affected ≥ 2026.1.6.0 and ≤ 2026.1.15.0

Vendor Devolutions

Product Server

Affected ≤ 2025.3.19.0