CVE-2026-2590
Published: 03 March 2026
Summary
CVE-2026-2590 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Devolutions Remote Desktop Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Managers (T1555.005); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the improper enforcement flaw in Devolutions Remote Desktop Manager by applying vendor patches as specified in advisory DEVO-2026-0005.
Enforces configuration settings such as 'Disable password saving in vaults' across all connection types to prevent unauthorized credential persistence.
Validates inputs for connection creation or editing to properly enforce the password saving disable setting, countering the associated CWE-20 improper input validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Bypass of disabled password saving directly enables storage of credentials in application vaults (password managers) and results in unsecured credentials being persisted and potentially exposed to other vault users.
NVD Description
Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information to other users,…
more
by creating or editing certain connection types while password saving is disabled.
Deeper analysisAI
CVE-2026-2590 is an improper enforcement of the "Disable password saving in vaults" setting in the connection entry component of Devolutions Remote Desktop Manager versions 2025.3.30 and earlier. This vulnerability, associated with CWE-20 (Improper Input Validation), enables an authenticated user to persist credentials in vault entries despite the setting being disabled, by creating or editing certain connection types. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to high confidentiality, integrity, and availability impacts.
An authenticated user can exploit this vulnerability over the network with low complexity and no user interaction required. By creating or editing specific connection types while the password saving disable setting is active, the attacker bypasses the enforcement, storing credentials in vault entries. This potentially exposes sensitive information to other users with access to those vaults, enabling unauthorized credential access and further compromise.
Devolutions has published security advisory DEVO-2026-0005, available at https://devolutions.net/security/advisories/DEVO-2026-0005, which provides details on mitigation and patches. Security practitioners should consult this advisory for specific remediation steps, such as upgrading to a patched version of Remote Desktop Manager.
Details
- CWE(s)