CVE-2026-5175
Improper Access Control in Devolutions Server MFA API Enables MFA Bypass
Publication date: 2026-04-01
Last updated on: 2026-04-03
Assigner: Devolutions Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | devolutions_server | From 2026.1.6.0 (inc) to 2026.1.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper access control issue in the multi-factor authentication (MFA) management API of Devolutions Server. It allows an authenticated attacker to delete their own configured MFA factors by sending specially crafted HTTP requests. As a result, the attacker can reduce their account protection to password-only authentication.
How can this vulnerability impact me? :
The vulnerability can impact you by weakening the security of your account. An attacker who exploits this issue can remove the additional layer of security provided by MFA, leaving the account protected only by a password. This increases the risk of unauthorized access if the password is compromised.