CVE Catalog

CVE-2026-10787

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

8th percentile - higher than 8% of all known CVEs

Summary

Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.

Risk Assessment

The organization may be exposed to the disclosure of information about deleted user groups, which could lead to further attacks or security breaches.

Recommendation

It is recommended to implement appropriate authorization mechanisms in the API to restrict access to metadata of deleted user groups.

Original NVD description (English source)

Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier

Vulnerability data from NVD (NIST) · CISA KEV · EPSS