Improper Access Control in Devolutions Server's MFA Management API
CVE-2026-5175

5MEDIUM

Key Information:

Vendor: Devolutions
Status: Server
Vendor: CVE Published:; 1 April 2026

🔔 Create Devolutions Vulnerability Alert

What is CVE-2026-5175?

The multi-factor authentication (MFA) management API in Devolutions Server is susceptible to improper access control. This vulnerability enables an authenticated attacker to manipulate their MFA configurations, allowing them to destroy their own MFA factors. As a result, they can downgrade their authentication method to a password-only approach, substantially compromising account security. This issue impacts Devolutions Server versions from 2026.1.6 to 2026.1.11.

Affected Version(s)

Server 2026.1.6 <= 2026.1.11

References

https://devolutions.net/security/advisories/DEVO-2026-0010

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-5175 Data

JSON