Security & compliance

Upholding the highest standards to protect your data and ensure trust.

Advisories Reporting a Security issue Trust Center Compliance

Back to listing

DEVO-2026-0010

Devolutions Server is affected by multiple vulnerabilities.

Affected Products

Devolutions Server

2026.1.11 and earlier

Devolutions Server

2025.3.17 and earlier

Change Log

Initial publication - 2026-04-01

8.7 High - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

User impersonation via in external OAuth authentication flow

Improper authentication in the external OAuth authentication flow in Devolutions Server allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.

Affected Products

CVE(s)

CVE-2026-4829

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.12.0 or higher, 2025.3.18 or higher.

Credits

jtof_fap

7.7 High - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Bypass of secondary authentication factor

Improper authentication in the OAuth login functionality in Devolutions Server allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.

Affected Products

CVE(s)

CVE-2026-4828, CVE-2026-4924

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.12 or higher, 2025.3.18 or higher.

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

MFA information returned to the user

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.

Affected Products

CVE(s)

CVE-2026-4927

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.12 or higher.

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

MFA self-delete restriction bypass

Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request.

Affected Products

CVE(s)

CVE-2026-4925, CVE-2026-5175

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.12 or higher.

5.3 Medium - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

SSRF in Gateway health check route

Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.

Affected Products

CVE(s)

CVE-2026-4989

Remediation and Workarounds

Upgrade to Devolutions Server 2026.1.12 or higher, 2025.3.18 or higher.

Credits

truff