Primary

Context

Devolutions Server Improper Authentication Vulnerability in OAuth Flow Allowing User Impersonation

Vulnerability

Patched

A vulnerability exists in Devolutions Server in versions through 2026.1.11 and 2025.3.17, where improper authentication in the external OAuth authentication flow allows an authenticated user to impersonate other users, including administrators. This is achieved by reusing a session code from an external authentication flow.

Impact

Exploitation of this vulnerability allows for user impersonation, potentially leading to unauthorized access and actions as the impersonated user, including administrative privileges.

Remediation

Users are advised to upgrade to Devolutions Server version 2026.1.12.0 or higher, or 2025.3.18 or higher.

Added: Apr 1, 2026, 4:35 PM

Updated: Apr 1, 2026, 4:35 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.2

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

5.2

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Devolutions Server Improper Authentication Vulnerability in OAuth Flow Allowing User Impersonation

Vulnerability

Impact

Remediation

Affected Products

Devolutions Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating