Extended Maintenance Releases

If you are using a client (RDM, PowerShell, etc.), version 2026.1 is required for this DVLS version FIXES SECURITY Core - Fixed a security issue where duplicating a folder could expose attachments and handbook pages to users without access to the original content SECURITY Core - Fixed a security issue where ticketing service credentials (ServiceNow and Jira) could be viewed by authenticated users through data source settings SECURITY PAM - Fixed missing permission checks on discovery scan results, ensuring only authorized users can access discovery data Core - Fixed an issue where the "Template list only" mode was not enforced, allowing entries to be created without a template Core - Fixed login failures when using MaxMind GeoLite2 with location-based access policies Web - Fixed an issue where deleting an entry could trigger an error and leave the connections tree in an incorrect state until the page was refreshed Web - UI fixes ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2026.1 is required for this DVLS version FIXES SECURITY Core - Restricted access to deleted user group details to authorized administrators only SECURITY Core - Secured ticketing integration credentials so they are no longer visible to non-administrative users SECURITY PAM - Fixed a script injection vulnerability in built-in PAM provider scripts Core - Fixed an issue where updating the server could cause valid licenses to disappear when an expired license was present Gateway - Fixed false "Gateway down" notifications that could occur during periods of heavy load PAM - Fixed an issue where Azure SQL accounts in the infrastructure vault were incorrectly shown as out of sync PAM - Fixed an issue where scans of unresponsive Windows targets could block future account scans ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2026.1 is required for this DVLS version FIXES SECURITY CVE-2026-10615 Core - Fixed synchronizers running against sealed credentials without prompting for unsealing first SECURITY CVE-2026-9522 PAM - Fixed an access control issue affecting account discovery scan configurations SECURITY CVE-2026-9590 Core - Fixed a permission issue that could allow asset sections to be modified through the API without proper authorization Core - Fixed an error that prevented starting a trial when an invalid email address was entered Core - Fixed sign-in issues when using Entra App Proxy with MFA and pre-authentication enabled PAM - Fixed a regression where the OTP field was not displayed for checked-out accounts using inherited OTP settings Web - Fixed the Clipboard Privacy warning dialog's "Do not show again" option not being respected Web - Fixed trailing spaces being saved in Tags and Notification Subscription exact-match filters ** CONSOLE RELEASE NOTES ** FIXES Core - Fixed the inability to edit additional access URIs in the Kestrel configuration

If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version FIXES SECURITY CVE-2026-9223 Core - Fixed a missing permission check that could allow users to create a new vault when importing an `.rdx` file referencing a non-existent vault SECURITY Core - Fixed synchronizers running against sealed credentials without prompting for unsealing first Core - Fixed sign-in issues when using Entra App Proxy with MFA and pre-authentication enabled Core - Restored compatibility between single sign-on (SSO) and multi-factor authentication (MFA) ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version IMPROVEMENTS SECURITY Core - Added audit logging for Send Copy actions so administrators can track who shared entries and with whom SECURITY Core - Improved authentication security to prevent external-provider sessions from bypassing password authentication under a different login method FIXES SECURITY [CVE-2026-5171 ]Core - Fixed an issue where users without Activity Logs permission could still retrieve entry logs through the API SECURITY [CVE-2026-7325]PAM - Fixed an LDAP coercion issue that could force DVLS to authenticate against a malicious LDAP server SECURITY [CVE-2026-8477]Core - Fixed a security issue where sealed entries could be accessed through the partial sensitive-data endpoint without triggering unseal notifications SECURITY Core - Fixed a password change bypass that allowed users to change passwords without providing the previous password SECURITY Core - Fixed an access-rights cache issue that could allow a privileged user to retrieve another user's credentials SECURITY Core - Fixed an issue where Active Directory accounts could modify their own profile data through the API despite UI restrictions SECURITY Core - Fixed an issue where duplicating a connection could copy handbooks and attachments from entries the user could not access SECURITY Core - Fixed an issue where handbook content and attachment metadata from sealed entries could be accessed without following the unseal workflow SECURITY Core - Fixed an issue where non-admin users could bypass the Pending Approval flow by changing an entry's status SECURITY Core - Fixed an issue where sealed credentials could be unsealed in another DVLS instance without notifying administrators, and improved handling of linked sealed credentials after import SECURITY Core - Fixed an open redirect vulnerability during external OAuth sign-in failures or cancellations ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version IMPROVEMENTS SECURITY [CVE-2026-5146] Core - Closed a security gap allowing notification actions without authentication ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version FIXES SECURITY CVE-2026-6706 Core - Added missing authorization check to prevent unauthorized access to handbook pages ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version FIXES SECURITY PAM - Fixed incorrect authorization on PAM endpoints that allowed low-privilege users to access PAM provider and checkout policy information SECURITY CVE-2026-4828 Core - Fixed a security issue where MFA check could be bypassed when Emergency Code authentication was disabled SECURITY CVE-2026-4924 Core - Fixed a security issue where MFA could be bypassed using an alternate authentication cookie SECURITY CVE-2026-4925 Core - Fixed an issue allowing users to remove their own MFA despite enforced restrictions SECURITY CVE-2026-4989 Core - Fixed an issue where the gateway health check could be exploited for server-side request forgery (SSRF) Core - Fixed performance issues with Conditional Access Policies enabled Core - Resolved SQL collation issues during database and web backups Core - Restored access to sensitive User Vault information by correcting permission handling PAM - Fixed OTP prompt appearing for brokering-only PAM accounts Web - Fixed an error when saving user vault entries for accounts without a user vault Web - Fixed the credit card edit component missing a reveal sensitive data button Web - Restored ability to send Secure Messages with attachments ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version IMPROVEMENTS Gateway - Gateway list now refreshes automatically after updates FIXES SECURITY Core - Fixed a critical security issue that allowed attackers to bypass Entra ID (Azure AD) authentication using a forged identity token Core - Fixed error preventing infrastructure vault access Core - Replaced unclear error when saving to a non-existent personal vault with an access denied message Gateway - Fixed gateways with custom security not selectable in farms and PAM providers PAM - Fixed domain connection test using wrong domain PAM - Fixed incorrect UPN suffix for JIT-provisioned AD accounts PAM - Fixed password reset failures when associated Gateway was missing PAM - Prevented deletion of checked-out PAM accounts Web - Fixed inconsistent Markdown rendering ** CONSOLE RELEASE NOTES ** FIXES Gateway - Fixed certificate settings being lost when editing a Gateway

If you are using a client (RDM, PowerShell, etc.), version 2025.2 is required for this DVLS version IMPROVEMENTS Core - Update DUO MFA integration ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.2 is required for this DVLS version FIXES SECURITY CVE-2025-13757 Core - Fixed SQL injection vulnerability in the last usage logs API endpoint SECURITY CVE-2025-13758 Core - Fixed security issue where sensitive credentials were exposed in API responses for certain connection types (SMB, HyperV, WebDav, and others) Core - Fixed erroneous mismatch log messages during SSO authentication from RDM ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.2 is required for this DVLS version FIXES Core - Fixed an issue where Windows authentication combined with 2FA would fail to work properly ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

FIXES SECURITY Core - Fixed authentication bypass vulnerability where "Configure 2FA by user later" could be exploited to access other user accounts SECURITY Core - Fixed password list custom values being visible to users with view-only permissions ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.2 is required for this DVLS version FIXES SECURITY CVE-2025-11619 Core - Fixed an issue where the Gateway domain in the TLS certificate was not validated Core - Fixed an issue preventing Add/Edit of MFA conditional policies when the result was set to MFA required or MFA skipped Core - Fixed an issue where gateway settings were ignored for local SSH providers Core - Fixed an issue where the syslog server status incorrectly showed as Down on the System dashboard ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.2 is required for this DVLS version FIXES SECURITY Core - Fixed an issue where unauthorized users could approve temporary access requests SECURITY Core - Fixed an issue where users could self-approve temporary access requests Core - Fixed an error when importing computers from an AD scan Core - Reduced email notifications when Syslog is down or the instance goes offline Core - Upgraded the MailKit library to resolve email sending issues PAM - Fixed a missing "Password template" field in the PAM account password generator ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.1 is required for this DVLS version FIXES SECURITY CVE-2025-8312 PAM - Resolved an issue where the automatic check-in task could unexpectedly stop PAM - Addressed an issue where PowerShell tasks generated by PAM would remain open after a crash ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.1 is required for this DVLS version IMPROVEMENTS SECURITY Core - Increased the length of emergency codes to fix a vulnerability and prevent brute-force attacks FIXES SECURITY Core - Fixed an issue where connection permissions could be bypassed through secure messages ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2025.1 is required for this DVLS version FIXES SECURITY Core - Added missing HSTS headers on select routes PAM - Fixed an error that was logged when users encountered issues using PAM ** CONSOLE RELEASE NOTES ** FIXES Fixed an issue where the basic installation process was not working

If you are using a client (RDM, PowerShell, etc.), version 2024.3 is required for this DVLS version FIXES SECURITY CVE-2025-4316 PAM - Fixed an issue where an admin could approve their own checkout even if approval was required SECURITY PAM - Fixed an issue where "Assigned provider privileges" in JIT privileged sets would select all available groups when adding a new provider privilege ** CONSOLE RELEASE NOTES ** IMPROVEMENTS Minor updates

If you are using a client (RDM, PowerShell, etc.), version 2024.3 is required for this DVLS version FIXES Core - Fixed an issue with the Free Gateway license that prevented launching any session

If you are using a client (RDM, PowerShell, etc.), version 2024.3 is required for this DVLS version FIXES SECURITY CVE-2025-2277 Core - Fixed an exposure of passwords in the web-based SSH authentication component SECURITY CVE-2025-2278 Core - Fixed improper access control in Temporary Access Requests and Checkout Requests endpoints

If you are using a client (RDM, PowerShell, etc.), version 2024.3 is required for this DVLS version FIXES SECURITY PAM - Fixed an issue where the "Add in Root" permission was not respected in PAM vaults Core - Fixed an error that could occur when exporting login history Core - Fixed an issue where the folder structure could disappear when adding or editing entries/folders in RDM

If you use a client (RDM, PowerShell, etc.), version 2024.2 is required for this DVLS version FIXES Core - Fixed an issue that prevented the Gateway from functioning Core - Fixed an issue in the "Add" window where some connection types were duplicated Core - Fixed an issue where backups would fail if there was a space at the beginning of the folder path Core - Fixed an issue where removing administrator rights from a user would leave all vaults selected Core - Fixed an issue where sending a secure message to multiple recipients would only send to the first one ## CONSOLE RELEASE NOTES ## FIXES Minor updates

If you use a client (RDM, PowerShell, etc.), version 2024.2 is required for this DVLS version IMPROVEMENTS Core - The Entry Security Analyzer report no longer loads all vaults by default, improving initial load time PAM - Enhanced logs to provide more detailed information when a password policy mismatch occurs FIXES SECURITY FIX PAM - Fixed an issue where expired checkouts were still accessible when the scheduler was down SECURITY FIX DEVO-2024-0013 PAM - Fixed an issue where users could approve their own requests even when the option was disabled Core - Fixed an issue that was preventing Devo Send from being used Core - Fixed an issue where custom variables were not resolved for entries configured with a Gateway Core - Fixed an issue where the Reset-DSPamPassword command was not working with the PowerShell module ## CONSOLE RELEASE NOTES ## IMPROVEMENTS Minor updates

If you use a client (RDM, PowerShell, etc.), version 2024.1 is required for this DVLS version FIXES SECURITY FIX CVE-2024-4846  Core - Fixed an issue where a user could be authenticated without being asked for the 2FA via another browser tab Core - Fixed an issue where linked account cause problem in RDM Core - Fixed an issue where user synchronisation was failing ## CONSOLE RELEASE NOTES ## FIXES Minor updates