CVE-2026-2590 is a security vulnerability identified in Devolutions Remote Desktop Manager (RDM) versions 2025.3.30 and earlier. The issue stems from improper enforcement of the 'Disable password saving in vaults' setting within the connection entry component. This setting is intended to prevent users from saving passwords in vault entries for certain connection types, enhancing security by limiting credential persistence. However, due to this vulnerability, an authenticated user can circumvent this restriction by creating or editing specific connection types, thereby persisting credentials even when password saving is supposed to be disabled. This behavior can lead to unauthorized exposure of sensitive credentials stored in vault entries to other users who have access to the same RDM environment. Since RDM is widely used for managing remote connections and credentials, this flaw undermines the confidentiality of stored passwords and could facilitate insider threats or lateral movement within an organization. Exploitation requires the attacker to have valid authentication credentials but does not require additional user interaction, making it a relatively straightforward attack vector once access is obtained. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. The vulnerability was reserved in mid-February 2026 and published in early March 2026, indicating recent discovery. The vendor has not yet provided a patch or mitigation guidance publicly, emphasizing the need for organizations to implement interim controls.

The primary impact of CVE-2026-2590 is the compromise of credential confidentiality within Devolutions Remote Desktop Manager environments. By allowing authenticated users to persist passwords despite the disabling setting, sensitive credentials may be exposed to unauthorized users who share access to the vault. This can lead to unauthorized access to critical systems, facilitating lateral movement, privilege escalation, or data breaches. Organizations that rely heavily on RDM for managing remote access credentials, especially in multi-user or shared environments, face increased risk of insider threats or accidental credential leakage. The vulnerability does not directly affect system availability or integrity but significantly undermines trust in credential management. Since exploitation requires authentication, external attackers must first compromise user credentials or gain insider access, but once inside, the risk of further compromise is elevated. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks. The scope includes all affected versions globally, impacting sectors such as finance, government, healthcare, and technology where secure remote access is critical.

Until an official patch is released by Devolutions, organizations should implement several specific mitigations: 1) Restrict user permissions within Remote Desktop Manager to the minimum necessary, limiting who can create or edit connection entries. 2) Enforce strict access controls and monitoring on vault entries to detect unauthorized credential persistence or modifications. 3) Conduct regular audits of stored credentials and connection configurations to identify any instances where passwords have been saved contrary to policy. 4) Educate users about the risk of credential exposure and enforce strong authentication mechanisms to reduce the likelihood of compromised accounts. 5) Consider isolating or segmenting RDM environments to limit the impact of insider threats. 6) Monitor vendor communications closely and apply security updates immediately once available. 7) If feasible, temporarily disable or limit use of the affected connection types that allow password saving until a fix is applied. These targeted actions go beyond generic advice by focusing on controlling the specific attack vector and reducing credential exposure risk in shared environments.