CVE-2026-9245

MEDIUM 5.0

CVSS Score

5.0

EPSS Score

0.0%

EPSS Percentile

0th

Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

CWE	CWE-601
Vendor	devolutions
Product	server
Published	May 22, 2026
Last Updated	May 22, 2026

Stay Ahead of the Next One

Get instant alerts for devolutions server

Be the first to know when new medium vulnerabilities affecting devolutions server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Devolutions / Server

2026.1.6.0 ≤ 2026.1.16.0 0 ≤ 2025.3.20.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

devolutions.net: https://devolutions.net/security/advisories/DEVO-2026-0013/