Primary

Context

Devolutions Server Improper Access Control in MFA Management API Allowing Account Protection Reduction

Vulnerability

Patched

A vulnerability exists in the multi-factor authentication (MFA) management API of Devolutions Server, specifically in versions 2026.1.6 through 2026.1.11. This vulnerability allows an authenticated attacker to delete their own MFA factors, reverting their account security to password-only authentication, by sending crafted HTTP requests. The issue arises from improper access control, which enables users to bypass restrictions and manipulate their MFA settings.

Impact

Exploitation of this vulnerability allows for the removal of multi-factor authentication, leaving accounts protected only by passwords.

Remediation

Users are advised to upgrade to Devolutions Server version 2026.1.12 or higher.

Added: Apr 1, 2026, 4:30 PM

Updated: Apr 1, 2026, 4:30 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

4.8

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

4.8

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Devolutions Server Improper Access Control in MFA Management API Allowing Account Protection Reduction

Vulnerability

Impact

Remediation

Affected Products

Devolutions Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating