CVE-2026-4925
Improper Access Control in Devolutions Server MFA Allows Bypass
Publication date: 2026-04-01
Last updated on: 2026-04-03
Assigner: Devolutions Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | devolutions_server | From 2026.1.6.0 (inc) to 2026.1.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper access control issue in the users MFA (multi-factor authentication) feature of Devolutions Server. It allows an authenticated user to bypass administrator-enforced restrictions and remove their own MFA configuration by sending a specially crafted request.
How can this vulnerability impact me? :
An attacker who is an authenticated user could exploit this vulnerability to disable their own multi-factor authentication, potentially reducing the security of their account. This could increase the risk of unauthorized access if the attackerβs credentials are compromised or if the attacker is a malicious insider.