CRITICAL🇵🇱 Wersja polska

CVE-2026-2590

CVSS 9.8v3.1pub. 2026-03-03upd. 2026-05-10

Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information to other users, by creating or editing certain connection types while password saving is disabled.

🤖 AI Analysis
How it works

The 'Disable password saving in vaults' setting is not properly enforced in the component responsible for handling connection entries. An authenticated user can bypass this restriction by creating or editing specific connection types, which allows permanent storage of credentials in a vault entry. The control mechanism (CWE-20: Improper Input Validation, CWE-295: Improper Certificate Validation) does not correctly verify the policy status across all save paths.

Impact

An attacker or unauthorized user can gain access to credentials (usernames and passwords) saved by other users within the same vault, which may lead to account takeover and further compromise of the environment's security.

Mitigation & patch

Devolutions Remote Desktop Manager should be updated to a version newer than 2025.3.30 according to the vendor's recommendations available at https://devolutions.net/security/advisories/DEVO-2026-0005

Who is affected

Devolutions Remote Desktop Manager version 2025.3.30 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Devolutions Remote Desktop Manager

    APP
    Devolutions
    ≤ 2025.3.30.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-6057CRITICAL9.8PL ✓ten sam produkt

Pominięcie hasła master vault w Devolutions Remote Desktop Manager

CVE-2023-6593CRITICAL9.8PL ✓ten sam produkt

Pomijanie uprawnień po stronie klienta w Devolutions Remote Desktop Manager na iOS

CVE-2023-5765CRITICAL9.8ten sam produkt

Improper access control in the password analyzer feature in Devolutions Remote Desktop Manager 2023.2.33 and e...

CVE-2023-5766CRITICAL9.8ten sam produkt

A remote code execution vulnerability in Remote Desktop Manager 2023.2.33 and earlier on Windows allows an a...

CVE-2023-4373CRITICAL9.8ten sam produkt

Inadequate validation of permissions when employing remote tools and macros within Devolutions Remote Desktop...