CVE-2026-15637
Summary
by MITRE • 07/14/2026
Improper authorization in the PAM SSH key and certificate retrieval endpoints in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to disclose the private key of an SSH key or certificate PAM credential via a direct object reference to the credential identifier.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2026
This vulnerability represents a critical authorization flaw in Devolutions Server's privileged access management infrastructure that enables authenticated but low-privileged users to bypass proper access controls and retrieve sensitive SSH private keys or certificates. The issue stems from improper input validation and access control mechanisms within the PAM SSH key and certificate retrieval endpoints, specifically allowing direct object reference attacks where users can manipulate credential identifiers to access resources they should not have permission to view. The vulnerability falls under CWE-285, which addresses improper authorization issues in software systems.
The technical implementation of this flaw occurs when the server fails to properly validate whether an authenticated user has legitimate authorization to access specific PAM credentials based on their privileges or role assignments. An attacker with basic authentication credentials can exploit this by directly referencing credential identifiers through API calls or web interfaces, essentially performing a parameter tampering attack that circumvents normal access control checks. This direct object reference vulnerability allows for unauthorized data disclosure and potentially leads to privilege escalation within the privileged access management environment.
The operational impact of this vulnerability is severe as it compromises the fundamental security principle of least privilege that Devolutions Server aims to enforce. An authenticated user can extract private keys and certificates from other users' accounts, which could enable them to impersonate legitimate users or gain unauthorized access to protected systems. This creates a significant risk for organizations relying on Devolutions Server for privileged account management, as it essentially allows lateral movement within the privileged access environment and potential compromise of sensitive infrastructure. The attack vector is particularly dangerous because it requires minimal privileges to exploit, making it accessible to users who should not have access to such sensitive information.
Organizations using Devolutions Server 2026.2.11 and 2026.1.22 must implement immediate mitigations including strengthening access controls on PAM endpoints, implementing proper input validation for credential identifiers, and enforcing role-based access control mechanisms that verify user privileges before allowing credential retrieval operations. The remediation should involve patching the software to version 2026.2.12 or later, which addresses this authorization flaw through improved access control validation. Additionally, organizations should conduct comprehensive security audits of their PAM environments and implement monitoring for unauthorized access attempts to credential repositories. This vulnerability also aligns with ATT&CK technique T1550.001 for use of valid accounts and T1078.004 for legitimate credentials, highlighting the importance of proper access control implementation in privileged access management systems.
The flaw demonstrates how insufficient authorization checks in modern security infrastructure can create exploitable pathways for attackers to bypass security controls that are designed to protect sensitive information. Organizations should treat this vulnerability as a critical risk requiring immediate attention and implement comprehensive access control policies that prevent unauthorized credential access regardless of user authentication status. Regular security testing and penetration testing should be conducted to identify similar authorization flaws in other privileged access management systems and web applications that may be susceptible to similar direct object reference attacks.