Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10786

CVE-2026-10786: Devolutions Server Information Disclosure

CVE-2026-10786 is an information disclosure vulnerability in Devolutions Server that exposes cleartext credentials through improper access control. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-10786 Overview

CVE-2026-10786 is an improper access control vulnerability [CWE-312] in the ticketing integration settings of Devolutions Server. An authenticated low-privileged user can issue a crafted API request to retrieve cleartext credentials configured for ticketing integrations. The flaw exposes integration secrets that should be restricted to administrators.

The vulnerability affects Devolutions Server 2026.2.4.0 and Devolutions Server 2026.1.20.0 and earlier. Devolutions disclosed the issue in security advisory DEVO-2026-0015.

Critical Impact

Authenticated low-privileged users can extract cleartext credentials for third-party ticketing systems, enabling lateral movement into connected ITSM platforms.

Affected Products

  • Devolutions Server 2026.2.4.0
  • Devolutions Server 2026.1.20.0 and earlier
  • Ticketing integration module within Devolutions Server

Discovery Timeline

  • 2026-06-08 - CVE-2026-10786 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-10786

Vulnerability Analysis

The vulnerability resides in the API surface that manages ticketing integration settings. Devolutions Server integrates with external ticketing platforms to associate session activity with change tickets. These integrations require stored credentials so the server can call the remote ITSM API.

The server fails to enforce administrative role checks on the API endpoint that returns integration configuration. A user authenticated with low privileges can craft a request to this endpoint and receive the stored credentials in cleartext rather than a masked or redacted form. The CWE-312 mapping reflects cleartext storage and exposure of sensitive information.

The vulnerability requires authentication and network access to the server but no user interaction. Successful exploitation results in disclosure of credentials for connected ticketing systems such as ServiceNow, Jira, or Zendesk depending on the integration configured.

Root Cause

The root cause is a missing authorization check on the ticketing integration settings API. The endpoint trusts any authenticated session and returns configuration payloads containing credential fields without filtering or role-based redaction. Sensitive fields are returned to the client rather than withheld server-side.

Attack Vector

An attacker first authenticates to Devolutions Server with any valid low-privileged account. The attacker then issues a crafted API request targeting the ticketing integration configuration endpoint. The server returns the full configuration object, including cleartext credentials for the configured ticketing platform. The attacker reuses these credentials to access the connected ITSM system, where they can read sensitive tickets or modify change records.

No verified public proof-of-concept is available. Refer to the Devolutions Security Advisory DEVO-2026-0015 for vendor-supplied details.

Detection Methods for CVE-2026-10786

Indicators of Compromise

  • API requests from non-administrative accounts to ticketing integration configuration endpoints on Devolutions Server.
  • Unexpected authentication events on connected ticketing platforms originating from credentials stored in Devolutions Server integrations.
  • Audit log entries showing low-privileged users accessing the integrations or settings sections programmatically.

Detection Strategies

  • Review Devolutions Server application logs for API calls to ticketing integration settings made by accounts without administrator role assignments.
  • Correlate Devolutions Server audit logs with ticketing platform access logs to identify reuse of integration credentials from new source IPs or user agents.
  • Alert on high-volume settings or configuration API requests from a single low-privileged session.

Monitoring Recommendations

  • Forward Devolutions Server logs into a centralized SIEM and build alerts for configuration endpoint access by non-administrators.
  • Monitor connected ticketing platforms for sign-ins from the Devolutions Server service account outside expected schedules or source ranges.
  • Rotate and monitor integration credentials, treating any anomalous use as a potential indicator of exploitation.

How to Mitigate CVE-2026-10786

Immediate Actions Required

  • Upgrade Devolutions Server to a fixed version as documented in advisory DEVO-2026-0015.
  • Rotate all credentials stored in ticketing integration settings, assuming they may have been disclosed.
  • Audit Devolutions Server user accounts and remove any unnecessary low-privileged accounts that could be abused.

Patch Information

Devolutions has released a security update addressing CVE-2026-10786. Administrators should apply the fixed Devolutions Server build referenced in the Devolutions Security Advisory DEVO-2026-0015. Versions 2026.2.4.0 and 2026.1.20.0 and earlier are affected and must be upgraded.

Workarounds

  • Temporarily disable ticketing integrations until the server is patched, removing stored credentials from the configuration.
  • Restrict network access to the Devolutions Server administrative interface and API to trusted management networks only.
  • Enforce least-privilege principles and remove unused user accounts to reduce the population of authenticated users who could exploit the flaw.
bash
# Configuration example: rotate integration credentials after patching
# 1. Update Devolutions Server to the fixed release per DEVO-2026-0015
# 2. In the admin console: Administration > Ticketing > Edit each integration
# 3. Revoke the existing API token on the ticketing platform
# 4. Generate a new token and update the integration setting
# 5. Verify only administrators can read integration configuration via API

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne