HomeDefault status
unaffected
Any version before 2026.1.23
affected
Any version before 2026.2.12
affected
Description
Improper authorization in the access request status endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to approve their own pending access request via a direct call to the request status endpoint, bypassing the required approver review.
Problem types
Product status
Any version before 2026.1.23
Any version before 2026.2.12
References
devolutions.net/security/advisories/DEVO-2026-0024/