CVE-2026-4828
OAuth Authentication Bypass in Devolutions Server Enables MFA Bypass
Publication date: 2026-04-01
Last updated on: 2026-04-03
Assigner: Devolutions Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | devolutions_server | From 2026.1.1.0 (inc) to 2026.1.12.0 (exc) |
| devolutions | devolutions_server | to 2025.3.18.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1390 | The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4828 is a high-severity vulnerability in Devolutions Server versions 2026.1.11 and earlier. It involves improper authentication in the OAuth login functionality, which allows a remote attacker who already has valid credentials to bypass multi-factor authentication (MFA). This is done by crafting a malicious login request that circumvents the enforcement of the secondary authentication factor during OAuth authentication.
How can this vulnerability impact me? :
This vulnerability can have serious security impacts because it allows an attacker with valid credentials to bypass multi-factor authentication, which is a critical security control. As a result, unauthorized users can gain access to systems or data that should be protected by MFA, increasing the risk of data breaches, unauthorized actions, and potential compromise of sensitive information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Devolutions Server to version 2026.1.12.0 or later, or 2025.3.18 or later. These versions address the improper authentication issue that allows bypassing multi-factor authentication via crafted OAuth login requests.
Applying these updates is strongly advised to prevent unauthorized access despite the presence of MFA.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a remote attacker with valid credentials to bypass multi-factor authentication (MFA) in Devolutions Server, potentially enabling unauthorized access to sensitive data.
By circumventing MFA, the vulnerability weakens the authentication controls that are often required by common standards and regulations such as GDPR and HIPAA to protect personal and sensitive information.
Failure to properly enforce MFA could lead to non-compliance with these regulations, as they mandate strong access controls to prevent unauthorized data access and ensure data security and privacy.
Therefore, this vulnerability poses a risk to compliance by undermining the effectiveness of security measures designed to protect regulated data.