HomeDefault status
unaffected
Any version before 2026.1.23
affected
Any version before 2026.2.12
affected
Description
Improper authorization in the secure messages deletion endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated user to delete another user's messages via a direct object reference to the message identifier.
Problem types
CWE-639 Authorization bypass through User-Controlled key
Product status
Any version before 2026.1.23
Any version before 2026.2.12
References
devolutions.net/security/advisories/DEVO-2026-0024/