Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable login with low-complexity trigger; PR:L because valid credentials are required, and full authenticated account access yields high C/I/A.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.
AnalysisAI
Multi-factor authentication bypass in Devolutions Server (DVLS) versions 2026.2.4 through 2026.2.8 lets an attacker who already holds valid user credentials authenticate without completing MFA, defeating an enforced 'MFA Required' policy. The flaw triggers when DVLS encounters an invalid default MFA value, causing the mandatory second factor to be skipped. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold valid DVLS user credentials (CVSS PR:L confirms authenticated access is needed), and the specific trigger is that DVLS encounters an invalid default MFA value for the account, at which point the mandatory MFA step is skipped. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning network-reachable, low-complexity, and requiring only low-privilege valid credentials with no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has phished or otherwise obtained a legitimate low-privilege DVLS user's password targets an account whose MFA default value is invalid; when they log in, DVLS mishandles that invalid default and issues a fully authenticated session without ever prompting for the second factor. The organization believed its MFA Required policy protected the account, but the attacker reaches privileged secrets and sessions with only the stolen password. … |
| Remediation | Vendor-released patch: upgrade Devolutions Server to 2026.2.9.0 (the first release outside the affected 2026.2.4-2026.2.8 range), following vendor advisory DEVO-2026-0023 at https://devolutions.net/security/advisories/DEVO-2026-0023/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running DVLS and confirm version numbers, prioritizing identification of systems in versions 2026.2.4 through 2026.2.8. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41905
GHSA-w6f7-pj3m-833j