CVE-2026-10787NVD

Vulnerability Summary

Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.

This issue affects :

* Devolutions Server 2026.2.4.0
* Devolutions Server 2026.1.20.0 and earlier

Severity Level

MEDIUM(4.3)

Published Date

Jun 8, 2026

Last Modified

Jun 12, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.03%Probability

Root Weakness (CWE)

CWE-862: Missing Authorization ↗

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

ScopeUnchanged

ConfidentialityNone

IntegrityLow

AvailabilityNone

External References

https://devolutions.net/security/advisories/DEVO-2026-0015/

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-10787NVD

Vulnerability Summary

External References