Primary

Context

Devolutions Server OAuth Login Multi-Factor Authentication Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in the OAuth login process of Devolutions Server versions through 2026.1.11. This flaw allows remote attackers with valid credentials to bypass multi-factor authentication by sending a crafted login request. The issue arises from improper authentication handling, enabling attackers to exploit the login flow and gain unauthorized access.

Impact

Exploitation of this vulnerability allows for user impersonation, as authenticated users can authenticate as other users, including administrators, by reusing a session code from an external authentication flow.

Remediation

Users are advised to upgrade to Devolutions Server version 2026.1.12.0 or higher, or 2025.3.18 or higher.

Added: Apr 1, 2026, 4:37 PM

Updated: Apr 1, 2026, 4:37 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.2

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.2

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Devolutions Server OAuth Login Multi-Factor Authentication Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Devolutions Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating