{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3221", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-02-25T18:20:33.439Z", "datePublished": "2026-02-25T18:29:11.939Z", "dateUpdated": "2026-02-26T16:03:04.217Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Server", "vendor": "Devolutions", "versions": [{"lessThan": "2025.3.15", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Sensitive\n user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with \naccess to the database to obtain sensitive user \ninformation via direct database access."}], "value": "Sensitive\n user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with \naccess to the database to obtain sensitive user \ninformation via direct database access."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-02-25T18:29:11.939Z"}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0004/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T16:02:33.571666Z", "id": "CVE-2026-3221", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:03:04.217Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DB87A4B-D40B-442F-8BF5-CA935BFADB3D", "versionEndExcluding": "2025.3.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sensitive\n user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with \naccess to the database to obtain sensitive user \ninformation via direct database access."}], "id": "CVE-2026-3221", "lastModified": "2026-02-28T00:43:23.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-25T19:43:26.530", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0004/"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2025.3.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Server", "source": "cna", "vendor": "Devolutions"}, "product": "server", "vendor": "devolutions"}], "analysis": {"en": {"generated_at": "2026-04-18T10:38:34.238912+00:00", "value": {"mitigation_remediation": ["Upgrade Devolutions Server to a version released after 2025.3.14 that encrypts sensitive user data in the database.", "Restrict database access to privileged accounts only.", "Monitor for unauthorized database access attempts."], "summary": {"action": "Patch", "impact": "Unauthorized disclosure of user account data"}, "threat_synthesis": {"affected_systems": "The issue exists in Devolutions Server 2025.3.14 and earlier releases. No specific edition or deployment type is mentioned, but the affected product is the Devolutions Server database component.", "description_and_impact": "Devolutions Server versions 2025.3.14 and earlier store sensitive user account information in plain text within the database, exposing a sensitive data exposure flaw. An adversary who can access the database can directly read this information, compromising confidentiality of user credentials and personal data. The vulnerability is classified as CWE-312.", "risk_and_exploitability": "The CVSS base score of 4.9 indicates moderate severity, and the EPSS figure of less than 1% suggests that exploitation is unlikely in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have database access, either through local compromise or poorly secured credentials, and does not depend on remote network components."}}}}, "created": "2026-02-26T13:15:06.823768+00:00", "title": "Devolutions Server Database Stores Unencrypted User Account Information", "updated": "2026-04-18T10:45:43.658533+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$server"]}