CVE-2026-3638

Low‑Privileged Users Can Restore Deleted Accounts via Improper Access Control

Description

Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.

INFO

Published Date :

2026-03-09T18:51:13.485Z

Last Modified :

2026-03-09T19:31:20.567Z

Source :

DEVOLUTIONS

AFFECTED PRODUCTS

The following products are affected by CVE-2026-3638 vulnerability.

Vendors	Products
Devolutions	Devolutions Server Server

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-3638.

URL	Resource
https://devolutions.net/security/advisories/DEVO-2026-0007

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact