CVE-2026-10787

EUVD-2026-35183
Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request.

This issue affects :

  *  Devolutions Server 2026.2.4.0
  *  Devolutions Server 2026.1.20.0 and earlier
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://devolutions.net/security/advisories/DEVO-2026-0015/