Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.
This issue affects Server: from 2026.1.6 through 2026.1.11.
AnalysisAI
Improper access control in Devolutions Server 2026.1.6 through 2026.1.11 allows authenticated attackers to delete their own MFA factors via crafted API requests, reducing account protection to password-only authentication. This vulnerability enables account security degradation without proper authorization checks, potentially compromising accounts that rely on multi-factor authentication as a secondary defense.
Technical ContextAI
The vulnerability exists in the multi-factor authentication (MFA) management API of Devolutions Server, a centralized credential and access management platform. The root cause is classified under CWE-862 (Missing Authorization), indicating that the API endpoint responsible for MFA factor deletion fails to properly verify whether an authenticated user should be permitted to remove their own MFA configurations. The API likely checks user authentication (confirming the user is logged in) but lacks proper authorization logic to enforce security policies that should prevent self-removal of MFA protections or require additional verification steps. This is distinct from an authentication bypass-the attacker must already be authenticated-but represents a authorization flaw allowing privilege escalation or account weakening within the context of an authenticated session.
RemediationAI
Upgrade Devolutions Server to a patched version released after 2026.1.11. Consult the vendor advisory at https://devolutions.net/security/advisories/DEVO-2026-0010 for the specific fixed version number and upgrade instructions. As an interim mitigation, restrict API access to the MFA management endpoint via network ACLs or reverse proxy rules to limit who can submit requests, and audit MFA factor changes in affected versions for unauthorized deletions. Monitor authentication logs for accounts that have lost MFA protection and re-enable MFA factors if necessary.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17931
GHSA-77p2-xw8p-439j