Devolutions ForumDevolutions Forum

Version 2026.1.19.0 (May 21, 2026)

Version 2026.1.19.0 (May 21, 2026)

avatar
devolutions-automation

If you are using a client (RDM, PowerShell, etc.), version 2026.1 is required for this DVLS version

IMPROVEMENTS

  • SECURITY Core - Added audit logging for Send Copy actions so administrators can track who shared entries and with whom
  • SECURITY Core - Improved authentication security to prevent external-provider sessions from bypassing password authentication under a different login method
  • Core - Improved Active Directory user creation performance
  • PAM - Added an option to skip TLS validation for the Windows Provider
  • Web - Added Command key support for multi-selection in the web interface, allowing Mac users to extend selections with Cmd-click


FIXES

  • SECURITY [CVE-2026-5171 ]Core - Fixed an issue where users without Activity Logs permission could still retrieve entry logs through the API
  • SECURITY [CVE-2026-7325]PAM - Fixed an LDAP coercion issue that could force DVLS to authenticate against a malicious LDAP server
  • SECURITY [CVE-2026-8477]Core - Fixed a security issue where sealed entries could be accessed through the partial sensitive-data endpoint without triggering unseal notifications
  • SECURITY [Le CVE-2026-9047]Core - Fixed an issue where adding an additional MFA factor could remove an existing MFA key
  • SECURITY Core - Fixed a missing permission check that could allow users to create a new vault when importing an `.rdx` file referencing a non-existent vault
  • SECURITY Core - Fixed a password change bypass that allowed users to change passwords without providing the previous password
  • SECURITY Core - Fixed an access-rights cache issue that could allow a privileged user to retrieve another user's credentials
  • SECURITY Core - Fixed an issue where Active Directory accounts could modify their own profile data through the API despite UI restrictions
  • SECURITY Core - Fixed an issue where duplicating a connection could copy handbooks and attachments from entries the user could not access
  • SECURITY Core - Fixed an issue where handbook content and attachment metadata from sealed entries could be accessed without following the unseal workflow
  • SECURITY Core - Fixed an issue where non-admin users could bypass the Pending Approval flow by changing an entry's status
  • SECURITY Core - Fixed an issue where sealed credentials could be unsealed in another DVLS instance without notifying administrators, and improved handling of linked sealed credentials after import
  • SECURITY Core - Fixed an open redirect vulnerability during external OAuth sign-in failures or cancellations
  • Core - Fixed a `NullReferenceException` in the notification processing service that could leave notifications stuck in an unprocessed state
  • Core - Fixed an issue where Linked (External) credentials were not saved correctly on SSH entries linked to an SSH Key
  • Core - Fixed attachments being lost when moving an entry to another vault
  • Core - Fixed folder duplication so sub-entries are duplicated along with the parent folder
  • Web - Fixed a `TypeError` when opening the Advanced Search dialog as a user without a User Vault


** CONSOLE RELEASE NOTES **

IMPROVEMENTS

  • Minor updates

All Comments (0)