CVE-2026-4927

MEDIUM

Devolutions Server 2026.1.6-2026.1.11 - Info Disclosure

Title source: llm

Description

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11.

References (1)

https://devolutions.net/security/advisories/DEVO-2026-0010

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 10.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-201

Status published

Products (2)

devolutions/devolutions_server 2026.1.6.0 - 2026.1.12.0

Devolutions/Server 2026.1.6 - 2026.1.11

Published Apr 01, 2026

Tracked Since Apr 01, 2026