{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3638", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-03-06T15:19:48.882Z", "datePublished": "2026-03-09T18:51:13.485Z", "dateUpdated": "2026-03-09T19:31:20.567Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-03-09T18:51:13.485Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "2025.3.11.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div><span>Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.</span></div></div>"}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0007"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:31:17.349014Z", "id": "CVE-2026-3638", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:31:20.567Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3638", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T19:31:17.349014Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:31:12.370Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2025.3.11.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0007"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.", "supportingMedia": [{"type": "text/html", "value": "<div><div><span>Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.</span></div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-03-09T18:51:13.485Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3638", "state": "PUBLISHED", "dateUpdated": "2026-03-09T19:31:20.567Z", "dateReserved": "2026-03-06T15:19:48.882Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-03-09T18:51:13.485Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "7774C6E3-1E70-46A6-B3B6-B7407FA107D3", "versionEndExcluding": "2025.3.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests."}, {"lang": "es", "value": "Control de acceso inadecuado en los puntos finales de la API de restauraci\u00f3n de usuarios y roles en Devolutions Server 2025.3.11.0 y versiones anteriores permite a un usuario autenticado con bajos privilegios restaurar usuarios y roles eliminados mediante solicitudes de API manipuladas."}], "id": "CVE-2026-3638", "lastModified": "2026-03-30T19:32:08.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-09T19:16:08.720", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0007"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2025.3.11.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Server", "source": "cna", "vendor": "Devolutions"}, "product": "server", "vendor": "devolutions"}], "analysis": {"en": {"generated_at": "2026-04-18T09:41:51.278961+00:00", "value": {"mitigation_remediation": ["Apply the latest Devolutions Server patch or upgrade to a release newer than 2025.3.11.0 where restore\u2011API access control is corrected.", "Implement or verify missing authorization checks (CWE\u2011862) on the user and role restore endpoints so that only accounts with proper administrative privileges can invoke the restore operation.", "Restrict network exposure of the restore API endpoints by firewall rules or network segmentation so that only trusted administrative hosts can reach them.", "If a patch is not yet available, temporarily disable the restore endpoints or block them via a reverse\u2011proxy to prevent unauthorized use.", "Review and revoke low\u2011privileged user accounts with potential restore rights to enforce the principle of least privilege."], "summary": {"action": "Patch", "impact": "Unauthorized restoration of deleted users and roles by low\u2011privileged authenticated users"}, "threat_synthesis": {"affected_systems": "Devolutions Server version 2025.3.11.0 and earlier. The flaw exists in the API endpoints responsible for restoring deleted users and roles.", "description_and_impact": "An improper access control flaw in the user and role restore API endpoints allows a low\u2011privileged authenticated user to restore previously deleted users and roles by sending crafted API requests. This mis\u2011directed access can re\u2011enable a removed user account or re\u2011assign a role that was intended to be permanently revoked, thereby potentially granting the attacker privileges or access that should have been denied. The vulnerability is a permission bypass rather than a remote code execution flaw, but it enables persistence and privilege escalation within the affected system.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate risk, while an EPSS score of less than 1% shows a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread public exploitation. Attacks would require an authenticated session with a low\u2011privileged account and crafted API calls, making it a relatively focused threat rather than a broad remote attack vector."}}}}, "created": "2026-03-10T14:07:14.757330+00:00", "title": "Low\u2011Privileged Users Can Restore Deleted Accounts via Improper Access Control", "updated": "2026-04-18T09:45:25.840555+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$server"]}