Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.

Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision.

Permission bypass when importing or synchronizing entries in User vault in Devolutions Remote Desktop Manager 2023.1.9 and prior versions allows users with restricted rights to bypass entry permission via id collision.

Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticated users with permissions to approve their own requests, bypassing intended security restrictions, via the PAM access request approval mechanism.

Improper access control in PAM JIT elevation in Devolutions Server 2024.1.6 and earlier allows an attacker with access to the PAM JIT elevation feature to elevate themselves to unauthorized groups via a specially crafted request.

Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.

Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.

Authentication Bypass in Hub Business integration in Devolutions Workspace Desktop 2023.1.1.3 and earlier on Windows and macOS allows an attacker with access to the user interface to unlock a Hub Business space without being prompted to enter the password via an unimplemented "Force Login" security feature. This vulnerability occurs only if "Force Login" feature is enabled on the Hub Business instance and that an attacker has access to a locked Workspace desktop application configured with a Hub Business space.

Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sensitive data without proper authorization.

Incorrect authorization in PAM vaults in Devolutions Server 2024.3.12 and earlier allows an authenticated user to bypass the 'add in root' permission.

Incorrect authorization in the add permission component in Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows an authenticated malicious user to bypass the "Add" permission via the import in vault feature.

Incorrect authorization in the permission validation component of Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows a malicious authenticated user to bypass the "View Password" permission via specific actions.

Inadequate validation of permissions when employing remote tools and macros via the context menu within Devolutions Remote Desktop Manager versions 2023.3.31 and earlier permits a user to initiate a connection without proper execution rights via the remote tools feature. This affects only SQL data sources.