CVE-2026-12755
LowCVSS 2.7Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
A vulnerability in Devolutions Server versions 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host. By crafting a DomainName parameter in the PAM AD discovery endpoints, the attacker can capture PAM provider credentials as an NTLMv2 challenge-response.
Risk Assessment
The risk involves leakage of sensitive PAM provider credentials, potentially leading to unauthorized system access and privilege escalation within the organization's IT environment.
Recommendation
Immediately upgrade Devolutions Server to version 2026.2.8.0 or later, which includes a fix for this vulnerability. Until the update is applied, restrict the UserGroupsView permission to trusted users only.
Original NVD description (English source)
Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.

