CVE-2026-8407

4.3 MEDIUM

Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissio...

Published: 2026-05-12 · Last updated: 2026-05-26

Severity and scoring

CVSS: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-862

Affected products

Vendor	Product
devolutions	devolutions_server

Description

Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.11.0 * Devolutions Server 2025.3.16.0 and earlier

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8407
[Vendor advisory]https://devolutions.net/security/advisories/DEVO-2026-0010/

Related CVEs

Same vendor

CVE-2026-10787 — Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metad... (4.3 MEDIUM)
CVE-2026-10786 — Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain... (6.5 MEDIUM)
CVE-2026-10544 — Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an auth... (6.5 MEDIUM)
CVE-2026-9590 — Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user w... (5.3 MEDIUM)
CVE-2026-9522 — Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user wit... (5.4 MEDIUM)

Same CWE

CVE-2026-53821 — OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy au... (8.8 HIGH)
CVE-2026-53820 — OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authen... (6.6 MEDIUM)
CVE-2026-48119 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (7.1 HIGH)
CVE-2026-47120 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (7.1 HIGH)
CVE-2026-46716 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (9.9 CRITICAL)