CVE-2026-5146 | THREATINT

Description

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier

PUBLISHED Reserved 2026-03-30 | Published 2026-05-12 | Updated 2026-05-13 | Assigner DEVOLUTIONS

Problem types

CWE-862: Missing Authorization

Product status

Default status

unaffected

2026.1.6.0 (custom)

affected

Any version

affected

References

devolutions.net/security/advisories/DEVO-2026-0012

cve.org (CVE-2026-5146)

nvd.nist.gov (CVE-2026-5146)

Download JSON