{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4989", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-03-27T13:42:14.773Z", "datePublished": "2026-04-01T15:07:29.219Z", "dateUpdated": "2026-04-01T17:15:10.559Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-04-01T15:07:29.219Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "CWE-918 Server-Side request forgery (SSRF)", "type": "CWE"}]}], "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "2026.1.1", "lessThanOrEqual": "2026.1.11", "versionType": "custom"}, {"status": "affected", "version": "2025.3.1", "lessThanOrEqual": "2025.3.17", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.\nThis issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.<br><p>This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.</p>"}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T17:13:49.659152Z", "id": "CVE-2026-4989", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:15:10.559Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4989", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T17:13:49.659152Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:13:27.884Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "2026.1.1", "versionType": "custom", "lessThanOrEqual": "2026.1.11"}, {"status": "affected", "version": "2025.3.1", "versionType": "custom", "lessThanOrEqual": "2025.3.17"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.\nThis issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.", "supportingMedia": [{"type": "text/html", "value": "Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.<br><p>This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side request forgery (SSRF)"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-04-01T15:07:29.219Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4989", "state": "PUBLISHED", "dateUpdated": "2026-04-01T17:15:10.559Z", "dateReserved": "2026-03-27T13:42:14.773Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-04-01T15:07:29.219Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "49328DF9-AC32-4DB7-B5D1-407A280F9F2E", "versionEndExcluding": "2025.3.18.0", "versionStartIncluding": "2025.3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "710C8535-DE31-447E-A7FD-41DC513106F5", "versionEndExcluding": "2026.1.12.0", "versionStartIncluding": "2026.1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.\nThis issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17."}], "id": "CVE-2026-4989", "lastModified": "2026-04-03T19:13:27.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T16:23:51.973", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.1,2026.1.11]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.3.1,2025.3.17]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Server", "source": "cna", "vendor": "Devolutions"}, "product": "server", "vendor": "devolutions"}], "analysis": {"en": {"generated_at": "2026-04-03T22:35:51.643029+00:00", "value": {"mitigation_remediation": ["Upgrade Devolutions Server to a release newer than 2026.1.11 or 2025.3.17", "Configure network segmentation or firewall rules to block outbound connections from the gateway health check endpoint if an upgrade cannot be applied immediately", "Monitor logs for abnormal health check API requests and other suspicious activity"], "summary": {"action": "Update software", "impact": "Server\u2011side request forgery allowing potential information disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is Devolutions Server, released by Devolutions. Vulnerable releases include versions 2026.1.1 through 2026.1.11 and 2025.3.1 through 2025.3.17. Any installation of these version ranges is susceptible.", "description_and_impact": "Improper input validation in the gateway health check feature of Devolutions Server enables an authenticated user with low privileges to issue crafted API requests. The vulnerability, identified as a Server\u2011Side Request Forgery (CWE\u2011918), permits the user to direct the server to request internal or external resources, which can lead to disclosure of sensitive information. The impact is limited to information exposure rather than code execution or denial of service.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate risk, and the EPSS score of less than 1\u202f% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication but does not need elevated privileges, making it accessible to many users. The attack vector is inferred to involve sending a malicious API request to the health check endpoint, which then causes the server to perform unauthorized requests to target resources."}}}}, "created": "2026-04-02T07:48:58.647579+00:00", "updated": "2026-04-07T08:07:31.566474+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$server"]}