{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1768", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-02-02T15:49:01.125Z", "datePublished": "2026-02-24T19:01:07.640Z", "dateUpdated": "2026-02-26T16:12:31.144Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Devolutions Server", "vendor": "Devolutions", "versions": [{"lessThan": "2025.3.15", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.<p>This issue affects Devolutions Server: before 2025.3.15.</p>"}], "value": "A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.This issue affects Devolutions Server: before 2025.3.15."}], "impacts": [{"capecId": "CAPEC-141", "descriptions": [{"lang": "en", "value": "CAPEC-141 Cache Poisoning"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-02-24T19:01:07.640Z"}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0004/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T16:12:05.695636Z", "id": "CVE-2026-1768", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:12:31.144Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1768", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T16:12:05.695636Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:11:29.108Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-141", "descriptions": [{"lang": "en", "value": "CAPEC-141 Cache Poisoning"}]}], "affected": [{"vendor": "Devolutions", "product": "Devolutions Server", "versions": [{"status": "affected", "version": "0", "lessThan": "2025.3.15", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0004/"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.This issue affects Devolutions Server: before 2025.3.15.", "supportingMedia": [{"type": "text/html", "value": "A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.<p>This issue affects Devolutions Server: before 2025.3.15.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-02-24T19:01:07.640Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1768", "state": "PUBLISHED", "dateUpdated": "2026-02-26T16:12:31.144Z", "dateReserved": "2026-02-02T15:49:01.125Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-02-24T19:01:07.640Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DB87A4B-D40B-442F-8BF5-CA935BFADB3D", "versionEndExcluding": "2025.3.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.This issue affects Devolutions Server: before 2025.3.15."}], "id": "CVE-2026-1768", "lastModified": "2026-02-26T17:23:01.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-24T20:27:46.300", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0004/"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2025.3.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Devolutions Server", "source": "cna", "vendor": "Devolutions"}, "product": "devolutions_server", "vendor": "devolutions"}], "analysis": {"en": {"generated_at": "2026-04-17T15:40:49.072485+00:00", "value": {"mitigation_remediation": ["Upgrade Devolutions Server to version 2025.3.15 or later. ", "If an upgrade cannot be performed immediately, reset or clear the permission cache to remove the poisoned entries. ", "Restrict user permissions to the minimum required for their roles and monitor for unusual access patterns."], "summary": {"action": "Apply Patch", "impact": "Permission bypass allowing unauthorized access to entries"}, "threat_synthesis": {"affected_systems": "The flaw affects Devolutions Server versions prior to 2025.3.15. Users running those versions risk having their access controls subverted and their data exposed.", "description_and_impact": "The vulnerability is a permission cache poisoning flaw in Devolutions Server. An authenticated user can manipulate the cache and gain access to entries they should not be able to view, effectively bypassing the server\u2019s ACL enforcement. The impact is direct unauthorized data exposure to legitimate accounts that have not been granted the necessary permissions.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% shows that widespread exploitation is unlikely, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need valid credentials with which to change the permission cache, so the threat remains largely confined to legitimate users with some level of access. Nonetheless, the potential for unauthorized data access makes it prudent to mitigate as soon as possible."}}}}, "created": "2026-02-25T11:35:39.980692+00:00", "title": "Permission Cache Poisoning Allows Bypassing Access Controls in Devolutions Server", "updated": "2026-04-17T15:45:15.904117+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$devolutions_server"]}