Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.
This issue affects Server: from 2026.1.6 through 2026.1.11.
AnalysisAI
Devolutions Server versions 2026.1.6 through 2026.1.11 expose sensitive one-time password (OTP) keys in the MFA feature, allowing authenticated users with user management privileges to retrieve other users' OTP secrets via API requests. This information disclosure vulnerability enables account takeover by attackers who obtain valid credentials with user management roles, as OTP keys are sufficient to generate valid authentication codes and bypass multi-factor authentication protections.
Technical ContextAI
The vulnerability exists in Devolutions Server's MFA implementation, specifically in the API endpoint that manages user credentials and authentication factors. CWE-201 (Insertion of Sensitive Information into Sent Data) indicates that sensitive cryptographic material-OTP keys used to derive time-based one-time passwords (TOTP/HOTP)-is transmitted or exposed in responses without proper access controls. The affected product (cpe:2.3:a:devolutions:server) is a centralized credential and identity management solution; exposing OTP seeds undermines the security assumptions of multi-factor authentication by treating a secret key as readable data rather than a secret that should never be transmitted to clients. The vulnerability requires authentication and specific privilege escalation (user management role), limiting the attack surface to internal administrators or compromised management accounts.
RemediationAI
Upgrade Devolutions Server immediately to version 2026.1.12 or later, which patches the API access control vulnerability in the MFA feature. Customers unable to upgrade immediately should restrict API access and user management role assignments to trusted administrators, audit recent API logs for unauthorized OTP key retrieval, and consider forcing password resets and MFA re-enrollment for users whose OTP keys may have been exposed. For complete remediation guidance and confirmed patch versions, consult the Devolutions advisory at https://devolutions.net/security/advisories/DEVO-2026-0010.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17927