Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper authentication in the two-factor authentication (2FA) feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session token.
AnalysisAI
Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by reusing a partially authenticated session token, enabling unauthorized account access without completing the second authentication factor. The vulnerability affects all versions up to and including 2026.1.11, with no CVSS score or public exploit confirmation available at analysis time.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker requires valid credentials for a Devolutions Server 2026.1.11 or earlier account with 2FA enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Despite the absence of a CVSS score and EPSS probability data, this vulnerability carries significant real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with stolen or guessed Devolutions Server credentials logs in and completes the first factor of 2FA authentication. Instead of completing the second factor (OTP entry or security key verification), the attacker reuses or intercepts the partially authenticated session token to gain full account access, bypassing MFA entirely. … |
| Remediation | Organizations should immediately upgrade Devolutions Server to the patched version released by Devolutions after 2026.1.11; consult the security advisory at https://devolutions.net/security/advisories/DEVO-2026-0010 for the exact fixed version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes b
Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user vi
Bitwarden Server prior to v2026.4.1 allows any authenticated user to write ciphers (encrypted credentials) into arbitrar
Devolutions Server versions 2026.1.11 and earlier allow authenticated remote attackers to bypass multi-factor authentica
Devolutions Server contains an improper certificate validation vulnerability in its PAM propagation WinRM connections th
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version
Tanium addressed a local privilege escalation vulnerability in Tanium Server. [CVSS 6.7 MEDIUM]
Tanium addressed a local privilege escalation vulnerability in Tanium Module Server. [CVSS 6.7 MEDIUM]
Same weakness CWE-1390 – Weak Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17923