CVE-2026-5175

MEDIUM 5.0

CVSS Score

5.0

EPSS Score

0.0%

EPSS Percentile

0th

Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests. This issue affects Server: from 2026.1.6 through 2026.1.11.

CWE	CWE-862
Vendor	devolutions
Product	server
Published	Apr 1, 2026
Last Updated	Apr 1, 2026

Stay Ahead of the Next One

Get instant alerts for devolutions server

Be the first to know when new medium vulnerabilities affecting devolutions server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Devolutions / Server

2026.1.6 ≤ 2026.1.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗

devolutions.net: https://devolutions.net/security/advisories/DEVO-2026-0010