CVE-2026-15642
Summary
| CVE | CVE-2026-15642 |
|---|---|
| State | PUBLISHED |
| Assigner | DEVOLUTIONS |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-14 19:16:51 UTC |
| Updated | 2026-07-15 18:09:54 UTC |
| Description | Insertion of sensitive information into a file in the Recovery Kit response file generation feature in Devolutions Server 2026.1.22.0, 2026.2.11.0 allows an attacker with access to the generated response file to obtain the Azure Key Vault client secret in cleartext, even when the option to exclude sensitive data is selected. |
Risk And Classification
Primary CVSS: v3.1 3.3 LOW from ADP
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS: 0.001150000 probability, percentile 0.018210000 (date 2026-07-16)
Problem Types: CWE-200 | CWE-200 CWE-200
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Devolutions | Devolutions Server | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Devolutions | Server | affected 2026.1.23 custom | Not specified |
| CNA | Devolutions | Server | affected 2026.2.12 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| devolutions.net/security/advisories/DEVO-2026-0024 | [email protected] | devolutions.net | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.