CVE-2026-4924
FA Bypass via Session Token Reuse in Devolutions Server
Publication date: 2026-04-01
Last updated on: 2026-04-03
Assigner: Devolutions Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | devolutions_server | From 2026.1.1.0 (inc) to 2026.1.12.0 (exc) |
| devolutions | devolutions_server | to 2025.3.18.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1390 | The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper authentication issue in the two-factor authentication (2FA) feature of Devolutions Server version 2026.1.11 and earlier. It allows a remote attacker who already has valid credentials to bypass the multifactor authentication process by reusing a partially authenticated session token, thereby gaining unauthorized access to the victim's account.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with valid credentials can bypass the additional security layer provided by two-factor authentication. This means the attacker can gain unauthorized access to user accounts, potentially leading to data breaches, unauthorized actions, and compromise of sensitive information.