CVE-2026-5146

CVE Database · CVE-2026-5146

CVE-2026-5146

· MEDIUMAnalyzed

CVSS v3.1

4.3

EPSS

0.16%

Published

May 12, 2026

Modified

May 26, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses (CWE)

CWE-862

Affected Products (2)

devolutions · devolutions_server (up to 2025.3.20.0)vulnerable

devolutions · devolutions_server (up to 2026.1.16.0)vulnerable

References (1)

https://devolutions.net/security/advisories/DEVO-2026-0012

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs