CVE-2026-9245

MEDIUM devolutions devolutions_server NVD

CVSS Score 5

Severity MEDIUM

Published May 22, 2026

Vendor devolutions

Description

Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Vendor Advisories

https://devolutions.net/security/advisories/DEVO-2026-0013/

References

https://devolutions.net/security/advisories/DEVO-2026-0013/