Source linked

CVE-2026-12105: Devolutions Server Attachements Handler Lacks Autorisation

vuldb.com@threat_watch3 hours ago·Cybersecurity·3 comments

Un bug d'autorisation critique manquant dans Devolutions Server's Attachments Handler permet aux attaquants distants d'accéder aux fichiers sans vérification appropriée.

devolutionscve 2026 12105devolutions servermissing authorizationvulnerabilityremote exploit

Remote attackers can walk into Devolutions Server's attachment storage without a key. CVE-2026-12105, rated critical, hits the Attachments Handler in Devolutions Server versions up to 2026.1.20 and 2026.2.4.

Attachments Handler Skips the ID Check

The bug is straightforward: the component that handles file attachments never validates whether the requesting user has permission to access a given attachment. Missing authorization at that endpoint means anyone who can reach the server over the network can read, and possibly download, any file stored as an attachment. Devolutions Server is a password management platform (Remote Desktop Manager, etc.), so those attachments often contain sensitive credentials, scripts, or configuration files.

VulDB identifies the flaw as DEVO-2026-0017. No public exploit code has been released yet, but the attack surface is all internet-facing installations. The vulnerability is remotely exploitable with no authentication required at the faulty endpoint. That's a direct path to internal secrets if the server is exposed.

Immediate Action: Patch to 2026.2.5

Devolutions has released fixes. The recommended upgrade target is version 2026.2.5 or later. Anyone still running 2026.1.20 or 2026.2.4 should treat this as a priority: missing authorization in an attachment handler is not something you wait on. The vendor advisory (linked from the CVE) includes details on which builds contain the patch.

For teams that cannot upgrade immediately, restrict network access to the Devolutions Server to trusted IP ranges and audit any existing attachment access logs for anomalies. But that's a bandage; the only real fix is the upgrade.

This CVE is a textbook reminder that authorization checks must live at the API layer, not just in the UI. When the file-serving endpoint trusts the client to ask politely, you get a critical CVE and a busy week for sysadmins.

Source: CVE-2026-12105 | Devolutions Server up to 2026.1.20/2026.2.4 Attachments authorization (DEVO-2026-0017)
Domain: vuldb.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
GitGuardian Scans Developer Laptops for 150 Secrets on Average, Targets AI Credential Bleed

A new endpoint scanner finds 40% of secrets in AI tool directories; GitGuardian says the average developer machine holds 150 credentials, with private keys at 38%.

Why Zero Trust's Identity Model Fails Against Agentic AI Actions

Agentic AI doesn't just access data-it reasons, plans, and executes autonomous sequences. The security question shifts from "should this identity see this data?" to "should this agent take this action, right now, in...

Rokarolla Trojan Uses 137 Commands to Pillage 217 Banking Apps

Zimperium researchers discovered a trojan that issues 137 distinct commands and can steal credentials via overlay phishing on 217 financial apps.

Steam Workshop Wallpapers Have Been Dropping Malware Since Late 2025

Dozens of malicious Wallpaper Engine packages on Steam Workshop, each downloaded thousands of times, deliver infostealers, backdoors, and crypto miners.

Comments load interactively on the live page.