{"api_version":"1","generated_at":"2026-06-19T22:31:31+00:00","cve":"CVE-2026-12117","urls":{"html":"https://cve.report/CVE-2026-12117","api":"https://cve.report/api/cve/CVE-2026-12117.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-12117","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-12117"},"summary":{"title":"CVE-2026-12117","description":"Improper access control in the social login connection endpoint in \nDevolutions Server 2026.2.5 allows an authenticated vault member to \nenumerate social login entry metadata to which they are not authorized \nvia a crafted API request.","state":"PUBLISHED","assigner":"DEVOLUTIONS","published_at":"2026-06-16 20:16:27","updated_at":"2026-06-18 18:30:38"},"problem_types":["CWE-200","CWE-200 CWE-200","CWE-200 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://devolutions.net/security/advisories/DEVO-2026-0017/","name":"https://devolutions.net/security/advisories/DEVO-2026-0017/","refsource":"security@devolutions.net","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-12117","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-12117","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Devolutions","product":"Devolutions Server","version":"affected 2026.2.0 2026.2.5 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"12117","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"devolutions","cpe5":"devolutions_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"12117","cve":"CVE-2026-12117","epss":"0.001760000","percentile":"0.073260000","score_date":"2026-06-18","updated_at":"2026-06-19 00:08:11"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-12117","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-17T15:14:42.590567Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-17T15:14:46.588Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Devolutions Server","vendor":"Devolutions","versions":[{"lessThan":"2026.2.5","status":"affected","version":"2026.2.0","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Improper access control in the social login connection endpoint in \nDevolutions Server 2026.2.5 allows an authenticated vault member to \nenumerate social login entry metadata to which they are not authorized \nvia a crafted API request."}],"value":"Improper access control in the social login connection endpoint in \nDevolutions Server 2026.2.5 allows an authenticated vault member to \nenumerate social login entry metadata to which they are not authorized \nvia a crafted API request."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-16T18:25:19.018Z","orgId":"bfee16bd-18e6-446c-9a65-f5b2e3d89c23","shortName":"DEVOLUTIONS"},"references":[{"url":"https://devolutions.net/security/advisories/DEVO-2026-0017/"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"bfee16bd-18e6-446c-9a65-f5b2e3d89c23","assignerShortName":"DEVOLUTIONS","cveId":"CVE-2026-12117","datePublished":"2026-06-16T18:25:19.018Z","dateReserved":"2026-06-12T14:47:47.711Z","dateUpdated":"2026-06-17T15:14:46.588Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-16 20:16:27","lastModifiedDate":"2026-06-18 18:30:38","problem_types":["CWE-200","CWE-200 CWE-200","CWE-200 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-17T15:14:42.590567Z","id":"CVE-2026-12117","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2026.2.4.0","versionEndExcluding":"2026.2.7.0","matchCriteriaId":"78E3C256-48A1-4201-8CAF-1C2CEBA5AD44"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"12117","Ordinal":"1","Title":"CVE-2026-12117","CVE":"CVE-2026-12117","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"12117","Ordinal":"1","NoteData":"Improper access control in the social login connection endpoint in \nDevolutions Server 2026.2.5 allows an authenticated vault member to \nenumerate social login entry metadata to which they are not authorized \nvia a crafted API request.","Type":"Description","Title":"CVE-2026-12117"}]}}}