CVE-2026-12755
CVSS Score
2.7
EPSS Score
0.0%
EPSS Percentile
0th
Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.
| CWE | CWE-1284 |
| Vendor | devolutions |
| Product | server |
| Published | Jun 25, 2026 |
| Last Updated | Jun 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for devolutions server
Be the first to know when new low vulnerabilities affecting devolutions server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Devolutions / Server
2026.2.4.0 < 2026.2.7.0