CVE-2026-4828
Received Received - Intake
OAuth Authentication Bypass in Devolutions Server Enables MFA Bypass

Publication date: 2026-04-01

Last updated on: 2026-04-03

Assigner: Devolutions Inc.

Description
Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4828
EUVD
EUVD-2026-17919
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
devolutions devolutions_server From 2026.1.1.0 (inc) to 2026.1.12.0 (exc)
devolutions devolutions_server to 2025.3.18.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1390 The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows a remote attacker with valid credentials to bypass multi-factor authentication (MFA) in Devolutions Server, potentially enabling unauthorized access to sensitive data.

By circumventing MFA, the vulnerability weakens the authentication controls that are often required by common standards and regulations such as GDPR and HIPAA to protect personal and sensitive information.

Failure to properly enforce MFA could lead to non-compliance with these regulations, as they mandate strong access controls to prevent unauthorized data access and ensure data security and privacy.

Therefore, this vulnerability poses a risk to compliance by undermining the effectiveness of security measures designed to protect regulated data.

Executive Summary

CVE-2026-4828 is a high-severity vulnerability in Devolutions Server versions 2026.1.11 and earlier. It involves improper authentication in the OAuth login functionality, which allows a remote attacker who already has valid credentials to bypass multi-factor authentication (MFA). This is done by crafting a malicious login request that circumvents the enforcement of the secondary authentication factor during OAuth authentication.

Impact Analysis

This vulnerability can have serious security impacts because it allows an attacker with valid credentials to bypass multi-factor authentication, which is a critical security control. As a result, unauthorized users can gain access to systems or data that should be protected by MFA, increasing the risk of data breaches, unauthorized actions, and potential compromise of sensitive information.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Devolutions Server to version 2026.1.12.0 or later, or 2025.3.18 or later. These versions address the improper authentication issue that allows bypassing multi-factor authentication via crafted OAuth login requests.

Applying these updates is strongly advised to prevent unauthorized access despite the presence of MFA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart