Improper handling of factor key state in the multi‑factor authentication management feature of Devolutions Server allows an attacker who knows a user’s password to bypass that user’s multi‑factor authentication after the user reconfigures their authentication factors. The flaw is a classical authentication bypass identified as CWE‑305 and results in the attacker gaining elevated access rights by circumventing an otherwise mandatory second factor. This would compromise the confidentiality and integrity of the affected account and any resources the account controls.

The vulnerability affects Devolutions Server versions 2026.1.6.0 through 2026.1.16.0. Administrators should confirm that their deployed server falls within this range and assess the impact on all users whose multi‑factor credentials may have been recently reconfigured.

Because the attacker must already know the user’s password, the primary attack vector is a credential‑compromise scenario. Once the password is known, the attacker can perform the reconfiguration step that would normally trigger healthy MFA prompts, thereby bypassing further authentication checks. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the impact of defeating MFA is severe in environments that rely on the second factor for access control. The CVSS score is 7.6. The lack of a publicly disclosed exploitation pipeline suggests that the flaw is not immediately exploitable, however the risk remains high for compromised accounts.