CVE-2026-12755 | Improper input validation in the PAM AD discovery endpoints … | CVSS 2.7 LOW

Description

Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.

Metadata

CVE ID: CVE-2026-12755
State: PUBLISHED
Assigner: DEVOLUTIONS
Reserved: 2026-06-19 19:30 UTC
Published: 2026-06-25 13:12 UTC
Last updated: 2026-06-25 14:52 UTC
Primary CWE: CWE-1284
CWE-1284 Improper validation of specified quantity in input
Vendor / Product: Devolutions / Server
Sources: cve.org · NVD

Severity & Metrics

2.7 LOW CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Devolutions	Server	—	2026.2.4.0 < 2026.2.7.0

Weakness (CWE)

CWE	Source	Description
CWE-1284	cna	CWE-1284 Improper validation of specified quantity in input

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.7	LOW	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

References (1)

https://devolutions.net/security/advisories/DEVO-2026-0020/