CVE-2026-8477

LOW EPSS 7.5%

Published May 22, 20261mo ago · Modified Jun 17, 20261w ago

2.7 CVSS 3.1

Low

Published May 22, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

CVSS Details

Base Score

2.7

Exploitability

1.2

Impact

1.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality None

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

7.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-841

Affected Products 2

Vendor	Product	Version	Range
devolutions	devolutions_server	*	<2025.3.22.0
devolutions	devolutions_server	*	≥2026.1.6.0 – <2026.1.19.0

References 1

devolutions.net https://devolutions.net/security/advisories/DEVO-2026-0013/

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.