Authentication Bypass in Devolutions Server by Microsoft Entra ID
CVE-2026-3224

9.8CRITICAL

Key Information:

Vendor: Devolutions
Status: Server
Vendor: CVE Published:; 3 March 2026

🔔 Create Devolutions Vulnerability Alert

What is CVE-2026-3224?

An authentication bypass vulnerability exists in the Microsoft Entra ID authentication mode within Devolutions Server versions prior to 2025.3.15.0. This issue allows an unauthenticated user to impersonate any arbitrary Entra ID user by exploiting a forged JSON Web Token (JWT). Consequently, attackers can gain unauthorized access to sensitive functionalities of the server, leading to potential data exposure and security breaches.

Affected Version(s)

Server 0 <= 2025.3.15.0

References

https://devolutions.net/security/advisories/DEVO-2026-0005/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2026
Vulnerability Reserved
Feb 25, 2026

CVE-2026-3224 Data

JSON