Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.
AnalysisAI
Improper session code validation in Devolutions Server 2026.1.11 and earlier allows authenticated users to escalate privileges and impersonate other users, including administrators, by reusing session codes from external OAuth authentication flows. This authentication bypass affects all versions up to and including 2026.1.11 and requires an attacker to have valid credentials to exploit the vulnerability. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The vulnerability resides in the OAuth authentication flow implementation within Devolutions Server. The root cause is classified under CWE-287 (Improper Authentication), specifically a failure to properly validate or invalidate session codes generated during external OAuth authentication exchanges. Session codes are typically single-use tokens that authorize token exchange; the flaw allows these codes to be reused across multiple authentication attempts, violating the OAuth 2.0 authorization code grant flow specification which mandates one-time use of authorization codes. This enables an attacker who observes or captures a valid session code to authenticate as a different user without obtaining that user's credentials directly, effectively bypassing credential validation controls.
RemediationAI
Upgrade Devolutions Server to version 2026.1.12 or later, which contains the corrected OAuth session code validation logic. Organizations unable to upgrade immediately should restrict external OAuth authentication to trusted, monitored networks and audit session establishment logs for anomalies such as multiple OAuth code exchanges from the same user account within short timeframes. The official Devolutions security advisory at https://devolutions.net/security/advisories/DEVO-2026-0010 provides detailed update procedures and should be consulted for version-specific remediation guidance and rollback procedures if needed.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17921