HomeDefault status
unaffected
Any version before 2026.1.23
affected
Any version before 2026.2.12
affected
Description
Improper authorization in the PAM SSH key and certificate retrieval endpoints in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to disclose the private key of an SSH key or certificate PAM credential via a direct object reference to the credential identifier.
Problem types
CWE-639 Authorization bypass through User-Controlled key
Product status
Any version before 2026.1.23
Any version before 2026.2.12
References
devolutions.net/security/advisories/DEVO-2026-0024/