Skip to main content

Devolutions Server CVE-2026-14536

| EUVDEUVD-2026-41905 HIGH
Incorrect Authorization (CWE-863)
2026-07-06 DEVOLUTIONS GHSA-w6f7-pj3m-833j
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable login with low-complexity trigger; PR:L because valid credentials are required, and full authenticated account access yields high C/I/A.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 08, 2026 - 12:23 vuln.today
CVSS changed
Jul 08, 2026 - 12:22 NVD
8.8 (HIGH)
Patch available
Jul 06, 2026 - 21:16 EUVD
CVE Published
Jul 06, 2026 - 19:23 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.

AnalysisAI

Multi-factor authentication bypass in Devolutions Server (DVLS) versions 2026.2.4 through 2026.2.8 lets an attacker who already holds valid user credentials authenticate without completing MFA, defeating an enforced 'MFA Required' policy. The flaw triggers when DVLS encounters an invalid default MFA value, causing the mandatory second factor to be skipped. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid low-privilege DVLS credentials
Delivery
Reach DVLS network login endpoint
Exploit
Trigger invalid default MFA value
Execution
MFA Required policy skipped
Persist
Gain fully authenticated session
Impact
Access privileged secrets and sessions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold valid DVLS user credentials (CVSS PR:L confirms authenticated access is needed), and the specific trigger is that DVLS encounters an invalid default MFA value for the account, at which point the mandatory MFA step is skipped. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning network-reachable, low-complexity, and requiring only low-privilege valid credentials with no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has phished or otherwise obtained a legitimate low-privilege DVLS user's password targets an account whose MFA default value is invalid; when they log in, DVLS mishandles that invalid default and issues a fully authenticated session without ever prompting for the second factor. The organization believed its MFA Required policy protected the account, but the attacker reaches privileged secrets and sessions with only the stolen password. …
Remediation Vendor-released patch: upgrade Devolutions Server to 2026.2.9.0 (the first release outside the affected 2026.2.4-2026.2.8 range), following vendor advisory DEVO-2026-0023 at https://devolutions.net/security/advisories/DEVO-2026-0023/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running DVLS and confirm version numbers, prioritizing identification of systems in versions 2026.2.4 through 2026.2.8. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Server

View all
CVE-2018-1000881 CRITICAL POC
9.8 Dec 20

Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2021-42973 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl

CVE-2021-42972 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2023-30223 HIGH POC
7.5 Jun 16

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen

CVE-2023-30222 HIGH POC
7.5 Jun 16

An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2017-7855 MEDIUM POC
6.1 Aug 31

In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet

CVE-2022-39395 CRITICAL
9.9 Nov 10

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se

Share

CVE-2026-14536 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy