CVE-2026-10787 Overview
CVE-2026-10787 is a missing authorization vulnerability [CWE-862] in the deleted user groups API of Devolutions Server. An authenticated low-privileged user can enumerate metadata of deleted user groups through a crafted API request. The flaw bypasses authorization controls that should restrict access to administrative information.
The vulnerability affects Devolutions Server 2026.2.4.0 and Devolutions Server 2026.1.20.0 and earlier. Devolutions assigned a medium severity rating with a CVSS 3.1 base score of 4.3. The issue exposes confidentiality and integrity of deleted group metadata to users who should not have visibility into that data.
Critical Impact
Authenticated low-privileged users can enumerate deleted user group metadata through the Devolutions Server API, exposing organizational structure information that should be restricted to administrators.
Affected Products
- Devolutions Server 2026.2.4.0
- Devolutions Server 2026.1.20.0 and earlier
- Devolutions privileged access management deployments using the deleted user groups API
Discovery Timeline
- 2026-06-08 - CVE-2026-10787 published to the National Vulnerability Database
- 2026-06-09 - Entry last modified in the NVD database
- 2026-06-11 - EPSS score published at 0.026% (percentile 7.929)
Technical Details for CVE-2026-10787
Vulnerability Analysis
The vulnerability stems from a missing authorization check on an API endpoint that returns metadata for deleted user groups in Devolutions Server. The endpoint validates that the caller is authenticated but does not verify whether the caller holds the privilege required to view administrative records. As a result, any low-privileged authenticated user can issue requests that return data intended for administrators.
Devolutions Server is a self-hosted privileged access and password management platform. User group metadata typically describes organizational structure, role mappings, and permission scopes. Exposing this metadata, even for deleted groups, provides attackers with reconnaissance data useful for follow-on privilege escalation attempts.
The issue is classified under [CWE-862] Missing Authorization. The vulnerability does not enable data modification beyond limited integrity impact and does not affect availability. Refer to the Devolutions Security Advisory DEVO-2026-0015 for vendor-confirmed technical details.
Root Cause
The API handler for deleted user groups omits a role or permission check before returning metadata. Authentication establishes identity but does not enforce the principle of least privilege. The handler trusts any session token without validating whether the underlying user account holds rights to administrative resources.
Attack Vector
An attacker with valid low-privileged credentials sends a crafted HTTP request to the deleted user groups API endpoint on the Devolutions Server instance. The server returns metadata for groups that were soft-deleted, exposing names, identifiers, and related attributes. The attack requires network access to the server and an authenticated session but no user interaction.
No public proof-of-concept exploit is currently available. The vendor advisory describes the issue without publishing exploitation details.
Detection Methods for CVE-2026-10787
Indicators of Compromise
- Unexpected API calls from low-privileged accounts targeting the deleted user groups endpoint
- Repeated enumeration patterns against administrative API routes within short time windows
- Authenticated sessions issuing requests inconsistent with the user's normal application usage
Detection Strategies
- Review Devolutions Server application logs for API requests to deleted user group routes initiated by non-administrative accounts
- Correlate authentication events with API access patterns to identify privilege boundary violations
- Baseline normal API usage per role and alert on deviations indicating reconnaissance behavior
Monitoring Recommendations
- Enable verbose API access logging on the Devolutions Server and forward logs to a central SIEM
- Monitor outbound HTTP responses for unusually large payloads returned to low-privileged accounts
- Track failed and successful access attempts against administrative endpoints for trend analysis
How to Mitigate CVE-2026-10787
Immediate Actions Required
- Upgrade Devolutions Server to a fixed release as documented in the Devolutions Security Advisory DEVO-2026-0015
- Audit existing user accounts and remove unnecessary low-privileged access to the server
- Rotate API tokens and session credentials if unauthorized enumeration activity is suspected
Patch Information
Devolutions has published guidance for this vulnerability in advisory DEVO-2026-0015. Administrators should consult the advisory to identify the corrected version applicable to their deployment and apply the upgrade following the vendor's documented procedure. Releases after 2026.2.4.0 address the missing authorization check on the deleted user groups API.
Workarounds
- Restrict network access to the Devolutions Server administrative API using firewall rules or reverse proxy ACLs
- Limit account provisioning to trusted users until the patched version is deployed
- Increase logging verbosity to capture API access attempts during the remediation window
# Example: restrict access to Devolutions Server API at the reverse proxy layer
# Replace 10.0.0.0/24 with your administrative network range
location /api/ {
allow 10.0.0.0/24;
deny all;
proxy_pass http://devolutions-server-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
