Description
Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.
Published: 2026-04-01
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Multi‑factor authentication bypass
Action: Immediate Patch
AI Analysis

Impact

Improper authentication in the OAuth login flow of Devolutions Server allows a remote attacker who already possesses valid user credentials to send a crafted request that skips the required multi‑factor checkpoint. This flaw enables the attacker to assume the same user session normally protected by two‑factor authentication, thereby granting unauthorized access to all resources that the legitimate account can reach. The core weakness is an authentication bypass as identified by CWE‑1390.

Affected Systems

Versions of Devolutions Server up to and including 2026.1.11 are reported to have the flaw. No confirmation exists in the CVE data regarding the status of later releases; administrators should confirm that they are not running a vulnerable version.

Risk and Exploitability

The vulnerability carries a high CVSS score of 8.2, indicating significant potential damage, while an EPSS score of less than 1% suggests a low probability of exploitation at present. It is not listed in the CISA KEV catalog, and exploitation requires the attacker to already hold valid credentials for a target account. Assessment of threat should consider that the attack vector involves forging an HTTP request to the OAuth endpoint from an external network; once the bypass is achieved, the attacker gains full authorization rights of the compromised account.

Generated by OpenCVE AI on April 3, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Devolutions Server release that contains the fix for the OAuth authentication bypass
  • Verify that multi‑factor authentication is enforced after the update by attempting to log in with known credentials
  • Examine audit logs for evidence of bypassed MFA attempts before the system was updated
  • Stay informed about future patches or mitigations published by Devolutions

Generated by OpenCVE AI on April 3, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title OAuth Authentication Bypass Compromising Multi-Factor Authentication in Devolutions Server

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions devolutions Server
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Vendors & Products Devolutions devolutions Server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title OAuth Authentication Bypass Compromising Multi-Factor Authentication in Devolutions Server
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.
Weaknesses CWE-1390
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Devolutions Devolutions Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-04-01T20:23:02.072Z

Reserved: 2026-03-25T14:10:03.751Z

Link: CVE-2026-4828

cve-icon Vulnrichment

Updated: 2026-04-01T20:21:47.988Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T16:23:51.430

Modified: 2026-04-03T19:28:06.400

Link: CVE-2026-4828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:36Z

Weaknesses