Devolutions ForumDevolutions Forum

Version 2025.3.22.0 (May 21, 2026)

Version 2025.3.22.0 (May 21, 2026)

avatar
devolutions-automation

If you are using a client (RDM, PowerShell, etc.), version 2025.3 is required for this DVLS version

IMPROVEMENTS

  • SECURITY Core - Added audit logging for Send Copy actions so administrators can track who shared entries and with whom
  • SECURITY Core - Improved authentication security to prevent external-provider sessions from bypassing password authentication under a different login method


FIXES

  • SECURITY [CVE-2026-5171 ]Core - Fixed an issue where users without Activity Logs permission could still retrieve entry logs through the API
  • SECURITY [CVE-2026-7325]PAM - Fixed an LDAP coercion issue that could force DVLS to authenticate against a malicious LDAP server
  • SECURITY [CVE-2026-8477]Core - Fixed a security issue where sealed entries could be accessed through the partial sensitive-data endpoint without triggering unseal notifications
  • SECURITY Core - Fixed a password change bypass that allowed users to change passwords without providing the previous password
  • SECURITY Core - Fixed an access-rights cache issue that could allow a privileged user to retrieve another user's credentials
  • SECURITY Core - Fixed an issue where Active Directory accounts could modify their own profile data through the API despite UI restrictions
  • SECURITY Core - Fixed an issue where duplicating a connection could copy handbooks and attachments from entries the user could not access
  • SECURITY Core - Fixed an issue where handbook content and attachment metadata from sealed entries could be accessed without following the unseal workflow
  • SECURITY Core - Fixed an issue where non-admin users could bypass the Pending Approval flow by changing an entry's status
  • SECURITY Core - Fixed an issue where sealed credentials could be unsealed in another DVLS instance without notifying administrators, and improved handling of linked sealed credentials after import
  • SECURITY Core - Fixed an open redirect vulnerability during external OAuth sign-in failures or cancellations


** CONSOLE RELEASE NOTES **

IMPROVEMENTS

  • Minor updates

All Comments (0)