{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4989", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-03-27T13:42:14.773Z", "datePublished": "2026-04-01T15:07:29.219Z", "dateUpdated": "2026-04-01T17:15:10.559Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-04-01T15:07:29.219Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "CWE-918 Server-Side request forgery (SSRF)", "type": "CWE"}]}], "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "2026.1.1", "lessThanOrEqual": "2026.1.11", "versionType": "custom"}, {"status": "affected", "version": "2025.3.1", "lessThanOrEqual": "2025.3.17", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.\nThis issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.<br><p>This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.</p>"}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T17:13:49.659152Z", "id": "CVE-2026-4989", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:15:10.559Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4989", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T17:13:49.659152Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T17:13:27.884Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "2026.1.1", "versionType": "custom", "lessThanOrEqual": "2026.1.11"}, {"status": "affected", "version": "2025.3.1", "versionType": "custom", "lessThanOrEqual": "2025.3.17"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.\nThis issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.", "supportingMedia": [{"type": "text/html", "value": "Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.<br><p>This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side request forgery (SSRF)"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-04-01T15:07:29.219Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4989", "state": "PUBLISHED", "dateUpdated": "2026-04-01T17:15:10.559Z", "dateReserved": "2026-03-27T13:42:14.773Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-04-01T15:07:29.219Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "49328DF9-AC32-4DB7-B5D1-407A280F9F2E", "versionEndExcluding": "2025.3.18.0", "versionStartIncluding": "2025.3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "710C8535-DE31-447E-A7FD-41DC513106F5", "versionEndExcluding": "2026.1.12.0", "versionStartIncluding": "2026.1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.\nThis issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17."}], "id": "CVE-2026-4989", "lastModified": "2026-04-03T19:13:27.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T16:23:51.973", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.1,2026.1.11]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.3.1,2025.3.17]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Server", "source": "cna", "vendor": "Devolutions"}, "product": "server", "vendor": "devolutions"}], "analysis": {"en": {"generated_at": "2026-04-02T04:36:46.457625+00:00", "value": {"mitigation_remediation": ["Upgrade Devolutions Server to version 2026.1.12 or later, or to 2025.3.18 or later, which contain the fixed gateway health check input validation.", "If an immediate upgrade is not feasible, restrict network access for the Server\u2019s outbound connections using firewall rules or proxy settings to limit exposure to internal resources.", "Monitor for anomalous outbound requests from the Server and audit API usage logs for suspicious patterns."], "summary": {"action": "Apply Patch", "impact": "Server-side Request Forgery (SSRF) allowing information disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Devolutions Server products. Versions 2026.1.1 through 2026.1.11 and 2025.3.1 through 2025.3.17 are impacted. All other releases are presumed unaffected.", "description_and_impact": "A crafted API request to the gateway health check endpoint fails to properly validate input, enabling a low-privileged authenticated user to cause the server to make arbitrary outbound requests. This flaw can expose internal network services and sensitive data, yet it does not provide direct code execution or privilege escalation. The weakness aligns with input validation errors that allow malicious requests to be forwarded by the server.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a moderate risk; the unspecified EPSS score indicates no publicly available exploit data, and the flaw is not listed in the CISA KEV catalog, suggesting low to moderate exploitation likelihood. Attackers would need authenticated access to the affected Server instance and could leverage the SSRF to probe internal services, potentially revealing configuration or surveillance endpoints. No direct elevation of privilege or remote code execution is possible based on the current description."}}}}, "created": "2026-04-02T07:48:58.647579+00:00", "title": "SSRF via Gateway Health Check in Devolutions Server", "updated": "2026-04-02T20:17:24.064246+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$server"]}