CVE-2026-4828
Published: 01 April 2026
Summary
CVE-2026-4828 is a high-severity Weak Authentication (CWE-1390) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-12 (Audit Record Generation) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the improper authentication flaw in Devolutions Server's OAuth login by applying vendor patches to versions later than 2026.1.11.
Ensures organizational users are identified and authenticated using robust mechanisms including MFA, preventing bypass via crafted OAuth login requests.
Generates audit records for authentication events in OAuth login, enabling detection of unauthorized MFA bypass attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an improper authentication flaw in the OAuth login of a publicly accessible server, directly enabling remote attackers with valid credentials to bypass MFA and gain unauthorized access. This matches the definition of exploiting a public-facing application for initial access.
NVD Description
Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.
Deeper analysisAI
CVE-2026-4828 is an improper authentication vulnerability affecting the OAuth login functionality in Devolutions Server versions 2026.1.11 and earlier. Published on 2026-04-01, it enables a remote attacker with valid credentials to bypass multi-factor authentication (MFA) by submitting a crafted login request. The issue is cataloged under CWE-1390 and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N), indicating high severity with network accessibility, high attack complexity, and significant impacts on confidentiality and integrity.
A remote attacker possessing valid low-privilege credentials, such as those of a legitimate user, can exploit this vulnerability without user interaction. The attack requires crafting a malicious login request to the OAuth endpoint, successfully circumventing MFA controls. Upon success, the attacker achieves expanded scope access to the server, enabling high-level unauthorized data exposure and modification, though availability remains unaffected.
Devolutions has published security advisory DEVO-2026-0010 at https://devolutions.net/security/advisories/DEVO-2026-0010, which details mitigation strategies and available patches for affected versions.
Details
- CWE(s)