Description
Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
Published: 2026-03-03
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated user can authenticate as any Microsoft Entra ID user via a forged JSON Web Token
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an authentication bypass that allows an unauthenticated user to forge a JSON Web Token and authenticate as any arbitrary Entra ID user in Devolutions Server. This creates a high‑risk privilege escalation where the attacker can gain full access to the system with the permissions of that chosen user. The weakness is classified as authentication failure (CWE‑287).

Affected Systems

Devolutions Server version 2025.3.15.0 and all earlier releases are affected. No other products or versions are listed as vulnerable.

Risk and Exploitability

The CVSS score is 9.8, indicating critical severity. The EPSS score is reported as less than 1%, indicating a very low probability of exploitation in the wild at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the vulnerability can be exploited by sending a forged JWT to any exposed authentication endpoint, enabling an attacker to log in as a chosen Entra ID user without credentials.

Generated by OpenCVE AI on April 17, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Devolutions Server update that includes the fix for the authentication bypass.
  • Apply any available security update or patch released by Devolutions to address the JWT forgery issue.
  • If an upgrade is not immediately possible, temporarily disable Microsoft Entra ID authentication and use local authentication for the time being.

Generated by OpenCVE AI on April 17, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass via Forged JSON Web Token in Devolutions Server

Thu, 05 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions devolutions Server
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Vendors & Products Devolutions devolutions Server

Wed, 04 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Tue, 03 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
Weaknesses CWE-287
References

Subscriptions

Devolutions Devolutions Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-03-04T14:43:18.563Z

Reserved: 2026-02-25T18:56:18.991Z

Link: CVE-2026-3224

cve-icon Vulnrichment

Updated: 2026-03-04T14:43:15.515Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T22:16:29.523

Modified: 2026-03-05T15:05:49.170

Link: CVE-2026-3224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses