CVE-2026-9246 - AskarLabs CVE Database

CVE-2026-9246

Vendor Devolutions

Product Server

Weakness CWE-862 · Missing authorization

Published May 22, 2026

Last update May 22, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Key dates

02Disclosure timeline

May 22, 2026 CVE published

May 22, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-9246 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2026-40937 RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks CVE-2025-10690 Goza - Nonprofit Charity WordPress Theme <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation CVE-2025-22657 WordPress Atarim plugin <= 4.0.9 - Arbitrary Content Deletion vulnerability CVE-2026-32362 WordPress WP Sessions Time Monitoring Full Automatic plugin <= 1.1.3 - Broken Access Control vulnerability CVE-2025-12955 Live sales notification for WooCommerce <= 2.3.39 - Missing Authorization to Unauthenticated Customer Data Exposure

Identifiers

CVE CVE-2026-9246

CWE CWE-862

Affected versions

Vendor Devolutions

Product Server

Affected ≥ 2026.1.6.0 and ≤ 2026.1.16.0

Vendor Devolutions

Product Server

Affected ≤ 2025.3.20.0