CVE-2026-5146
Summary
| CVE | CVE-2026-5146 |
|---|---|
| State | PUBLISHED |
| Assigner | DEVOLUTIONS |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-12 18:17:32 UTC |
| Updated | 2026-05-12 18:17:32 UTC |
| Description | Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier |
Risk And Classification
Problem Types: CWE-862 | CWE-862 CWE-862: Missing Authorization
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Devolutions | Server | affected 2026.1.6.0 2026.1.15.0 custom | Not specified |
| CNA | Devolutions | Server | affected 2025.3.19.0 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| devolutions.net/security/advisories/DEVO-2026-0012 | [email protected] | devolutions.net | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.