CVE-2026-6706 PUBLISHED

Assigner: DEVOLUTIONS
Reserved: 20.04.2026 Published: 28.04.2026 Updated: 28.04.2026

Improper access control in the vault documentation feature in Devolutions Server 2026.1.14.0 and earlier allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request.

Product Status

Vendor	Devolutions
Product	Server
Versions	Default: unaffected affected from 0 to 2026.1.14.0 (incl.)

References

https://devolutions.net/security/advisories/DEVO-2026-0011

Problem Types

CWE-862: Missing Authorization CWE