Information Exposure in Devolutions Server's MFA Feature
CVE-2026-4927

6.5MEDIUM

Key Information:

Vendor: Devolutions
Status: Server
Vendor: CVE Published:; 1 April 2026

🔔 Create Devolutions Vulnerability Alert

What is CVE-2026-4927?

The MFA feature in Devolutions Server exposes sensitive information, allowing users with user management privileges to access other users' One-Time Password (OTP) keys through authenticated API requests. This could lead to the unauthorized use of second-factor authentication, compromising user accounts and sensitive data security.

Affected Version(s)

Server 2026.1.6 <= 2026.1.11

References

https://devolutions.net/security/advisories/DEVO-2026-0010

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-4927 Data

JSON