Description
Improper
authentication in the two-factor authentication (2FA) feature in
Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid
credentials to bypass multifactor authentication and gain unauthorized
access to the victim account via reuse of a partially authenticated
session token.
Published: 2026-04-01
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized account access due to 2FA bypass
Action: Patch
AI Analysis

Impact

Improper authentication in the two‑factor authentication feature of Devolutions Server allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account through reuse of a partially authenticated session token. The flaw is an authentication bypass (CWE‑1390) that leads to unauthorized account access and can potentially allow the attacker to use the compromised account to perform further actions within the affected system.

Affected Systems

Devolutions Server, versions 2026.1.11 and earlier are affected by this vulnerability.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, while the EPSS score is below 1 %, suggesting a low probability of exploitation and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker must first authenticate with valid credentials and then reuse the session token to bypass 2FA. Once authenticated, the attacker can access all functions available to the victim account, potentially compromising data and operations.

Generated by OpenCVE AI on April 3, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade to Devolutions Server version 2026.1.12 or newer where the 2FA bypass is fixed.
  • If an immediate upgrade is not possible, consider disabling the 2FA feature temporarily or enforcing stricter password policies for all accounts.
  • Verify that session tokens are not reused across authentication contexts and monitor for suspicious authentication activity.

Generated by OpenCVE AI on April 3, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Devolutions Server 2FA bypass allows unauthorized account access

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions devolutions Server
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Vendors & Products Devolutions devolutions Server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Devolutions Server 2FA bypass allows unauthorized account access
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session token.
Weaknesses CWE-1390
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Devolutions Devolutions Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-04-01T20:19:57.967Z

Reserved: 2026-03-26T18:13:06.159Z

Link: CVE-2026-4924

cve-icon Vulnrichment

Updated: 2026-04-01T20:18:38.655Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T16:23:51.657

Modified: 2026-04-03T19:22:06.100

Link: CVE-2026-4924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:35Z

Weaknesses