Security & compliance
Upholding the highest standards to protect your data and ensure trust.
DEVO-2026-0023
Devolutions Server is affected by an improper enforcement of multi-factor authentication policy vulnerability.
Affected Products
Change Log
Initial publication - 2026-07-06
Improper enforcement of multi-factor authentication policy
7.6 High - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.
CVE(s)
CVE-2026-14536
Remediation and Workarounds
Upgrade to Devolutions Server 2026.2.11.0 or higher.