Home

Description

Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure. This issue affects the following versions : * Devolutions Server 2025.3.2.0 through 2025.3.5.0 * Devolutions Server 2025.2.15.0 and earlier

PUBLISHED Reserved 2025-11-06 | Published 2025-11-06 | Updated 2025-11-07 | Assigner DEVOLUTIONS

Problem types

CWE-284: Improper Access Control

Product status

Default status
unaffected

2025.3.2.0 (custom)
affected

Any version
affected

References

devolutions.net/security/advisories/DEVO-2025-0016

cve.org (CVE-2025-12808)

nvd.nist.gov (CVE-2025-12808)

Download JSON