CVE-2026-12117 | Improper access control in the social login connection endpo… | CVSS 4.3 MEDIUM

Description

Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request.

Metadata

CVE ID: CVE-2026-12117
State: PUBLISHED
Assigner: DEVOLUTIONS
Reserved: 2026-06-12 14:47 UTC
Published: 2026-06-16 18:25 UTC
Last updated: 2026-06-17 15:14 UTC
Primary CWE: CWE-200
CWE-200
Vendor / Product: Devolutions / Devolutions Server
Sources: cve.org · NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Devolutions	Devolutions Server	—	2026.2.0 < 2026.2.5

Weakness (CWE)

CWE	Source	Description
CWE-200	cna	CWE-200
CWE-200	adp	CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.3	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (1)

https://devolutions.net/security/advisories/DEVO-2026-0017/