- Description
- Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests. This issue affects Server: from 2026.1.6 through 2026.1.11.
- Source
- security@devolutions.net
- NVD status
- Analyzed
- Products
- devolutions_server
CVSS 3.1
- Type
- Secondary
- Base score
- 5
- Impact score
- 1.4
- Exploitability score
- 3.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
- Severity
- MEDIUM
- security@devolutions.net
- CWE-862
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C03E8B95-397C-465C-BE01-810DC9852675",
"versionEndExcluding": "2026.1.12.0",
"versionStartIncluding": "2026.1.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]