CVE-2026-12755

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 25, 2026

Vendor unknown

Description

Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.

References

https://devolutions.net/security/advisories/DEVO-2026-0020/