Description
Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests. 







This issue affects Server: from 2026.1.6 through 2026.1.11.
Published: 2026-04-01
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Deletion of a user’s MFA factors reduces account protection to password‑only authentication.
Action: Patch
AI Analysis

Impact

This vulnerability lies in the MFA management API of Devolutions Server. Because the API lacks proper authorization checks, a logged‑in attacker can issue crafted HTTP requests that delete any MFA factor associated with their own account. Removing these factors reverts the account to single‑factor password protection, thereby increasing the attacker’s chance of credential compromise. The weakness is a missing permission check, classified as CWE‑862.

Affected Systems

Devolutions Server versions from 2026.1.6 through 2026.1.11 are affected. No other products or versions are mentioned in the advisory.

Risk and Exploitability

The CVSS score of 5 indicates moderate severity, and the EPSS score is below 1%, suggesting a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session; the attacker can then delete MFA factors with a simple crafted HTTP request. Reducing MFA increases the risk of credential theft, making this a notable risk that should be addressed promptly.

Generated by OpenCVE AI on April 3, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Devolutions Server version 2026.1.12 or newer to eliminate the vulnerability.
  • Check the Devolutions website or advisories for any interim guidance until the upgrade can be applied.
  • Verify that MFA remains enabled for user accounts after applying the patch.
  • Consider strengthening overall account access controls to prevent unauthorized API use.

Generated by OpenCVE AI on April 3, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Improper Access Control Allows Deletion of MFA Factors

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions devolutions Server
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Vendors & Products Devolutions devolutions Server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Improper Access Control Allows Deletion of MFA Factors
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.  This issue affects Server: from 2026.1.6 through 2026.1.11.
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Devolutions Devolutions Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-04-01T20:12:09.411Z

Reserved: 2026-03-30T18:44:07.137Z

Link: CVE-2026-5175

cve-icon Vulnrichment

Updated: 2026-04-01T20:10:30.594Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T16:23:52.350

Modified: 2026-04-03T19:03:38.703

Link: CVE-2026-5175

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:32Z

Weaknesses