{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1007", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-01-15T21:15:42.207Z", "datePublished": "2026-01-19T14:32:06.163Z", "dateUpdated": "2026-01-20T15:02:33.576Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Server", "vendor": "Devolutions", "versions": [{"lessThanOrEqual": "2025.3.12", "status": "affected", "version": "2025.3.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.<p>This issue affects Server: from 2025.3.1 through 2025.3.12.</p>"}], "value": "Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-01-19T14:32:06.163Z"}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0003/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T14:59:01.092565Z", "id": "CVE-2026-1007", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:02:33.576Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1007", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T14:59:01.092565Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T14:59:49.665Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "2025.3.1", "versionType": "custom", "lessThanOrEqual": "2025.3.12"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0003/"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.<p>This issue affects Server: from 2025.3.1 through 2025.3.12.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-01-19T14:32:06.163Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1007", "state": "PUBLISHED", "dateUpdated": "2026-01-20T15:02:33.576Z", "dateReserved": "2026-01-15T21:15:42.207Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-01-19T14:32:06.163Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AB0B4A6-06F7-48B3-8A6A-FF16B36CA000", "versionEndExcluding": "2025.3.14.0", "versionStartIncluding": "2025.3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12."}], "id": "CVE-2026-1007", "lastModified": "2026-02-10T16:59:28.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-19T15:15:50.220", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0003/"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:13:15.296586+00:00", "value": {"mitigation_remediation": ["Upgrade Devolutions Server to a version newer than 2025.3.12 to apply the vendor\u2011supplied fix.", "Verify that deny\u2011IP rules are correctly defined and enforce them at the network perimeter.", "If the virtual gateway component is not required, consider disabling or removing it to reduce the attack surface."], "summary": {"action": "Patch", "impact": "Authorization Bypass / Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Devolutions Server, versions 2025.3.1 through 2025.3.12.\n", "description_and_impact": "The vulnerability is an incorrect authorization flaw in the virtual gateway component of Devolutions Server. It allows attackers to bypass configured deny\u2011IP rules, giving them unintended network access to internal resources that should be blocked. This results in unauthorized access and potential compromise of data confidentiality and integrity.\n", "risk_and_exploitability": "The CVSS score of 7.6 indicates a high severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is network\u2011based; an attacker who can reach the virtual gateway component could target it and exploit the authorization bypass.\n"}}}}, "created": "2026-01-20T08:43:34.875505+00:00", "updated": "2026-04-18T05:15:15.987092+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$devolutions_server"]}