CVE-2026-4927
Sensitive Information Exposure in Devolutions Server MFA via Authenticated API
Publication date: 2026-04-01
Last updated on: 2026-04-03
Assigner: Devolutions Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | devolutions_server | From 2026.1.6.0 (inc) to 2026.1.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the exposure of sensitive information within the Multi-Factor Authentication (MFA) feature of Devolutions Server. Specifically, users who have user management privileges can exploit an authenticated API request to obtain the One-Time Password (OTP) keys of other users.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to other users' OTP keys, potentially allowing an attacker with user management privileges to bypass MFA protections. This could result in unauthorized access to user accounts and sensitive systems protected by MFA.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability exposes sensitive information related to users' MFA (Multi-Factor Authentication) OTP keys to users with user management privileges via an authenticated API request.
Such exposure of sensitive authentication data could potentially lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and authentication information to ensure confidentiality and prevent unauthorized access.
However, specific impacts on compliance are not detailed in the provided information.