Primary

Context

Devolutions Server MFA Information Exposure Vulnerability

Vulnerability

Patched

A vulnerability in the multi-factor authentication (MFA) feature of Devolutions Server allows users with user management privileges to access other users' one-time password (OTP) keys through an authenticated API request. This issue affects Devolutions Server versions 2026.1.6 prior to 2026.1.11.

Impact

Exploitation of this vulnerability could lead to unauthorized access to users' MFA OTP keys, potentially allowing for impersonation or unauthorized actions on behalf of those users.

Remediation

Users are advised to upgrade to Devolutions Server version 2026.1.12 or higher.

Added: Apr 1, 2026, 4:29 PM

Updated: Apr 1, 2026, 4:29 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Devolutions Server MFA Information Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Devolutions Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating