CVE-2026-2590

critical

Published 2026-03-03 · Modified 2026-05-10

CVSS v3

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

9.8

Description

Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information to other users, by creating or editing certain connection types while password saving is disabled.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security@devolutions.net — https://devolutions.net/security/advisories/DEVO-2026-0005

Application impact

Vendor	Product	Versions	Fixed
devolutions	remote_desktop_manager	`{"endIncluding":"2025.3.30.0"}`

References

https://devolutions.net/security/advisories/DEVO-2026-0005

CWEs

CWE-20 CWE-295

Verify integrity in audit chain (admin only). AS-IS.