endpoints in Devolutions Server 2026.2.11, 2026.1.22 allows an
authenticated low-privileged user to disclose the private key of an SSH
key or certificate PAM credential via a direct object reference to the
credential identifier.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
| Link | Providers |
|---|---|
| https://devolutions.net/security/advisories/DEVO-2026-0024/ |
|
Thu, 16 Jul 2026 14:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Improper Authorization Allows Low-Privileged User to Retrieve Private SSH Key in Devolutions Server |
Wed, 15 Jul 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Devolutions
Devolutions server |
|
| Vendors & Products |
Devolutions
Devolutions server |
Wed, 15 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Tue, 14 Jul 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Improper authorization in the PAM SSH key and certificate retrieval endpoints in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to disclose the private key of an SSH key or certificate PAM credential via a direct object reference to the credential identifier. | |
| Weaknesses | CWE-639 | |
| References |
|
Status: PUBLISHED
Assigner: DEVOLUTIONS
Published:
Updated: 2026-07-15T14:40:46.594Z
Reserved: 2026-07-13T18:17:50.907Z
Link: CVE-2026-15637
Updated: 2026-07-15T14:40:24.485Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T13:45:16Z