{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3131", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-02-24T16:52:20.741Z", "datePublished": "2026-02-24T19:01:29.096Z", "dateUpdated": "2026-02-26T16:09:13.047Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Server", "vendor": "Devolutions", "versions": [{"lessThan": "2025.3.15", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper\n access control in multiple DVLS REST API endpoints in Devolutions \nServer 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data."}], "value": "Improper\n access control in multiple DVLS REST API endpoints in Devolutions \nServer 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-02-24T19:01:29.096Z"}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0004/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T16:08:53.930176Z", "id": "CVE-2026-3131", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:09:13.047Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3131", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T16:08:53.930176Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:07:48.631Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "0", "lessThan": "2025.3.15", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0004/"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper\n access control in multiple DVLS REST API endpoints in Devolutions \nServer 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data.", "supportingMedia": [{"type": "text/html", "value": "Improper\n access control in multiple DVLS REST API endpoints in Devolutions \nServer 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-02-24T19:01:29.096Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3131", "state": "PUBLISHED", "dateUpdated": "2026-02-26T16:09:13.047Z", "dateReserved": "2026-02-24T16:52:20.741Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-02-24T19:01:29.096Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DB87A4B-D40B-442F-8BF5-CA935BFADB3D", "versionEndExcluding": "2025.3.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper\n access control in multiple DVLS REST API endpoints in Devolutions \nServer 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data."}], "id": "CVE-2026-3131", "lastModified": "2026-02-26T17:23:03.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-24T20:27:50.883", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0004/"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@devolutions.net", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2025.3.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Server", "source": "cna", "vendor": "Devolutions"}, "product": "server", "vendor": "devolutions"}], "analysis": {"en": {"generated_at": "2026-04-17T15:40:28.497253+00:00", "value": {"mitigation_remediation": ["Install the latest Devolutions Server release that incorporates the access\u2011control fix, or upgrade to any version newer than 2025.3.14.0.", "Reduce the scope of view\u2011only permissions by removing the role from users who do not need it, or temporarily disable view\u2011only access until the patch is applied.", "Restrict access to the affected REST API endpoints via firewall rules or network segmentation to limit potential exposure until a vendor patch is deployed."], "summary": {"action": "Apply Patch Now", "impact": "Unauthorized disclosure of connection data"}, "threat_synthesis": {"affected_systems": "The flaw affects Devolutions Server releases 2025.3.14.0 and earlier. Any deployment of these versions that exposes the documented API endpoints to authenticated clients is susceptible. Organizations running older versions must verify and upgrade accordingly.", "description_and_impact": "The vulnerability resides in Devolutions Server's REST API endpoints, where an authenticated user possessing only view\u2011only rights can read sensitive connection data. This improper access control allows an attacker to exfiltrate confidential information that should be restricted to privileged users, compromising confidentiality and potentially exposing credentials used to connect to backend systems. The weakness is cataloged as CWE\u2011200, an information\u2011exposure flaw.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium\u2011to\u2011high risk, while an EPSS score of less than 1% suggests that exploitation is currently rare. Because the flaw requires valid credentials, attackers need to compromise user accounts or acquire view\u2011only tokens, but once authenticated, they can immediately harvest sensitive data. The vulnerability is not listed in the CISA KEV catalog, so no prioritized exploitation is known, yet the potential damage warrants prompt remediation."}}}}, "created": "2026-02-25T11:35:39.146281+00:00", "title": "Improper Access Control Enables View\u2011Only Users to Access Sensitive Connection Data", "updated": "2026-04-17T15:45:15.903279+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$server"]}