Description
Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.
Published: 2026-07-06
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper enforcement of a mandatory multi‑factor authentication policy in Devolutions Server 2026.2.9.‑required check and authenticate without completing the second factor. The issue manifests when the system encounters an invalid default MFA value, causing the enforcement logic to be skipped. With this bypass, an attacker can obtain the same level of access as the authenticated user, potentially exposing any data or actions the user is permitted.

Affected Systems

Devolutions Server version 2026.2.9.0 is impacted. The MFA enforcement component of that release and would affect any deployment that relies on Devolutions Server’s default configuration for MFA settings. No other product versions or configurations are listed in the advisory.

Risk and Exploitability

The attack vector is straightforward: an attacker with valid user credentials can log in and avoid completing multi‑factor authentication. An EPSS score of <1% indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Although the exploitation likelihood is low, the flaw permits bypassing a core authentication control, enabling an attacker to gain the same access level as the authenticated user and compromising confidentiality and the integrity of data.

Generated by OpenCVE AI on July 7, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑published patch or upgrade to a newer release of Devolutions Server that restores proper MFA enforcement as described in the vendor advisory.
  • In the interim, reconfigure all logins or disable the mechanism that allows bypass when encountering an invalid default MFA value.
  • Monitor authentication logs for successful logins that do not complete MFA, and apply manual MFA enforcement measures until a patch is deployed.

Generated by OpenCVE AI on July 7, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Title MFA Enforcement Bypass in Devolutions Server 2026.2.9.0
Weaknesses CWE-285

Mon, 06 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Mon, 06 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.
References

Subscriptions

Devolutions Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-07-06T19:23:21.459Z

Reserved: 2026-07-03T00:08:05.267Z

Link: CVE-2026-14536

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T17:30:17Z

Weaknesses