Description
Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request.





This issue affects Server: from 2026.1.6 through 2026.1.11.
Published: 2026-04-01
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: MFA removal by authenticated users
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from an improper access control condition in the multi‑factor authentication feature. An authenticated user can submit a crafted request that bypasses the administrator‑enforced restriction and deletes their own MFA configuration, eliminating a critical layer of security for the affected account. This weakness is classified as CWE‑862: Failure to Restrict the Type of Access.

Affected Systems

Devolutions Server versions 2026.1.6 through 2026.1.11 are affected; the impacted product is the Devolutions Server privileged‑access management solution.

Risk and Exploitability

The CVSS score of 5 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the near future. The vulnerability is not listed in the CISA KEV catalog, implying it is not yet widely exploited. Exploitation requires a valid authenticated session; the attacker must send a crafted request to the MFA endpoint. Based on the description, it is inferred that the attack would be carried out via a remote network request within the application. Because the attack is limited to users who already have access to the system, the overall risk is contained to those accounts.

Generated by OpenCVE AI on April 3, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions Server to a release that fixes the MFA access control issue.

Generated by OpenCVE AI on April 3, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Devolutions Server MFA Access Control Exploit

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions devolutions Server
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Vendors & Products Devolutions devolutions Server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Devolutions Server MFA Access Control Exploit
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request. This issue affects Server: from 2026.1.6 through 2026.1.11.
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Devolutions Devolutions Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-04-01T20:16:31.765Z

Reserved: 2026-03-26T18:33:52.783Z

Link: CVE-2026-4925

cve-icon Vulnrichment

Updated: 2026-04-01T20:14:18.216Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T16:23:51.760

Modified: 2026-04-03T19:14:36.017

Link: CVE-2026-4925

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:33Z

Weaknesses