CVE-2026-2590 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 4, 2026
Devolutions Remote Desktop Manager - Broken Access Control
Published: March 3, 2026Updated: March 4, 2026Remote Exploitable
Overview
Devolutions Remote Desktop Manager <= 2025.3.30 contains a broken access control caused by improper enforcement of the disable password saving setting in connection entry component, letting authenticated users persist credentials despite password saving being disabled, exploit requires user authentication.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Authenticated users can persist credentials despite restrictions, potentially exposing sensitive information to other users.
Mitigation
Update to the latest version beyond 2025.3.30.
Related Resources
Details
- CVE ID
- CVE-2026-2590
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_access_control
- Status
- new
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H