Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request.
This issue affects Server: from 2026.1.6 through 2026.1.11.
AnalysisAI
Improper access control in Devolutions Server 2026.1.6 through 2026.1.11 allows authenticated users to bypass administrator-enforced MFA restrictions and remove their own multi-factor authentication via a crafted request. This authentication bypass undermines security policies designed to enforce MFA compliance, enabling threat actors with valid credentials to disable a critical security control and potentially maintain persistent access without secondary authentication verification. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
The vulnerability stems from inadequate authorization checks (CWE-862: Missing Authorization) in Devolutions Server's MFA management functionality. The application fails to properly validate that user requests to modify MFA configurations comply with administrator-enforced policies. Devolutions Server is a privileged access management and credential storage solution that manages authentication policies across enterprise environments. The affected versions 2026.1.6 through 2026.1.11 contain this flaw in the users MFA feature, which typically handles secondary authentication factors. The weakness allows an authenticated user context to bypass policy-level restrictions that should restrict MFA removal to authorized administrators only.
RemediationAI
Organizations should immediately upgrade to Devolutions Server version 2026.1.12 or later, which contains the remediation for this authorization bypass. Users running affected versions (2026.1.6 through 2026.1.11) should prioritize this update within their change management process. Until patched, administrators should monitor and audit MFA configuration changes through Devolutions Server's activity logs and implement supplementary access controls restricting API endpoints related to MFA modification to trusted networks or VPN access. Review the vendor advisory at https://devolutions.net/security/advisories/DEVO-2026-0010 for comprehensive remediation guidance and version validation steps.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17925