CVE-2026-9047

HIGH7.6

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors

Published May 22, 2026

Modified 1 weeks ago

Details

Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors.

This issue affects :

Devolutions Server 2026.1.6.0 through 2026.1.16.0

References

WEB

https://devolutions.net/security/advisories/DEVO-2026-0013/

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-9047

CVSS Analysis

CVSS v3.1

7.6

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

LowPR:L

User Interaction

RequiredUI:R

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

LowA:L

7.6/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Weakness Type (CWE)

Other

CWE-305

Ecosystems

Timeline

PublishedMay 22, 2026

ModifiedMay 22, 2026