{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5175", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-03-30T18:44:07.137Z", "datePublished": "2026-04-01T15:04:22.130Z", "dateUpdated": "2026-04-01T20:12:09.411Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-04-01T15:04:22.130Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862", "type": "CWE"}]}], "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "2026.1.6", "lessThanOrEqual": "2026.1.11", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.\u00a0\n\n\n\n\n\n\n\nThis issue affects Server: from 2026.1.6 through 2026.1.11.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div><div><div><span>Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.&nbsp;</span></div></div></div></div><p>This issue affects Server: from 2026.1.6 through 2026.1.11.</p>"}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T20:11:21.783652Z", "id": "CVE-2026-5175", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T20:12:09.411Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5175", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T20:11:21.783652Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T20:10:30.594Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "2026.1.6", "versionType": "custom", "lessThanOrEqual": "2026.1.11"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.\u00a0\n\n\n\n\n\n\n\nThis issue affects Server: from 2026.1.6 through 2026.1.11.", "supportingMedia": [{"type": "text/html", "value": "<div><div><div><div><span>Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.&nbsp;</span></div></div></div></div><p>This issue affects Server: from 2026.1.6 through 2026.1.11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-04-01T15:04:22.130Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5175", "state": "PUBLISHED", "dateUpdated": "2026-04-01T20:12:09.411Z", "dateReserved": "2026-03-30T18:44:07.137Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-04-01T15:04:22.130Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "C03E8B95-397C-465C-BE01-810DC9852675", "versionEndExcluding": "2026.1.12.0", "versionStartIncluding": "2026.1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.\u00a0\n\n\n\n\n\n\n\nThis issue affects Server: from 2026.1.6 through 2026.1.11."}], "id": "CVE-2026-5175", "lastModified": "2026-04-03T19:03:38.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T16:23:52.350", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.6,2026.1.11]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Server", "source": "cna", "vendor": "Devolutions"}, "product": "server", "vendor": "devolutions"}], "analysis": {"en": {"generated_at": "2026-04-03T21:53:28.177369+00:00", "value": {"mitigation_remediation": ["Upgrade to Devolutions Server version 2026.1.12 or newer to eliminate the vulnerability.", "Check the Devolutions website or advisories for any interim guidance until the upgrade can be applied.", "Verify that MFA remains enabled for user accounts after applying the patch.", "Consider strengthening overall account access controls to prevent unauthorized API use."], "summary": {"action": "Patch", "impact": "Deletion of a user\u2019s MFA factors reduces account protection to password\u2011only authentication."}, "threat_synthesis": {"affected_systems": "Devolutions Server versions from 2026.1.6 through 2026.1.11 are affected. No other products or versions are mentioned in the advisory.", "description_and_impact": "This vulnerability lies in the MFA management API of Devolutions Server. Because the API lacks proper authorization checks, a logged\u2011in attacker can issue crafted HTTP requests that delete any MFA factor associated with their own account. Removing these factors reverts the account to single\u2011factor password protection, thereby increasing the attacker\u2019s chance of credential compromise. The weakness is a missing permission check, classified as CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 5 indicates moderate severity, and the EPSS score is below 1%, suggesting a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session; the attacker can then delete MFA factors with a simple crafted HTTP request. Reducing MFA increases the risk of credential theft, making this a notable risk that should be addressed promptly."}}}}, "created": "2026-04-02T07:48:59.894483+00:00", "updated": "2026-04-07T08:07:32.604527+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$server"]}