CVE-2026-15058
Summary
by MITRE • 07/14/2026
Improper authorization in the secure messages deletion endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated user to delete another user's messages via a direct object reference to the message identifier.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/14/2026
The vulnerability identified in Devolutions Server versions 2026.2.11 and 2026.1.22 represents a critical authorization flaw that undermines the security posture of the platform's messaging system. This issue manifests as an insecure direct object reference vulnerability within the secure messages deletion endpoint, where the application fails to properly validate user permissions before executing deletion operations. The flaw allows authenticated users to manipulate object identifiers directly in API requests to target and remove messages belonging to other users without proper authorization.
The technical implementation of this vulnerability stems from insufficient input validation and access control mechanisms within the server's message handling subsystem. When an authenticated user attempts to delete a message, the system relies on the message identifier provided in the request without verifying whether the requesting user has legitimate ownership or administrative privileges over that specific message. This direct object reference pattern exposes the underlying data structure to unauthorized manipulation, enabling privilege escalation through simple parameter tampering techniques.
The operational impact of this vulnerability extends beyond mere data loss, potentially compromising the confidentiality and integrity of communications within the Devolutions Server environment. An attacker with access to a valid user account can exploit this flaw to systematically delete messages from other users, disrupting communication channels, potentially destroying evidence of activities, and undermining trust in the platform's security controls. The vulnerability affects all authenticated users who can access the messaging functionality, making it particularly dangerous in environments where multiple users share administrative or collaborative workspaces.
This vulnerability aligns with CWE-285, which describes improper authorization conditions that allow unauthorized access to resources through direct object references. The flaw demonstrates characteristics consistent with ATT&CK technique T1078.004, which involves valid accounts used for persistence and privilege escalation within target systems. Organizations using Devolutions Server should immediately implement access control validation checks that verify user permissions against the target resource before executing any destructive operations, particularly in message deletion endpoints where such controls are typically insufficient.
The recommended mitigations include implementing proper authorization checks that validate the requesting user's relationship to the target message object, employing indirect reference mechanisms instead of direct object references, and conducting comprehensive input validation on all message identifier parameters. Security teams should also establish audit logging for message deletion activities to detect unauthorized access attempts and implement rate limiting to prevent systematic exploitation of the vulnerability across multiple targets. Additionally, developers should follow secure coding practices that enforce principle of least privilege and maintain proper separation of concerns between user roles and system operations within messaging components.
Organizations should prioritize immediate patching of affected versions while conducting thorough security assessments of similar endpoints throughout their Devolutions Server installations to identify additional instances of insecure direct object references. The vulnerability underscores the importance of maintaining robust access control mechanisms in web applications, particularly when handling sensitive user communications and data deletion operations that could have far-reaching consequences for system integrity and user privacy.