Cyber Resilience

CVE-2026-4828

High

Published: 01 April 2026

Published
01 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0026 17.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4828 is a high-severity Weak Authentication (CWE-1390) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-12 (Audit Record Generation) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-4828 is an improper authentication vulnerability affecting the OAuth login functionality in Devolutions Server versions 2026.1.11 and earlier. Published on 2026-04-01, it enables a remote attacker with valid credentials to bypass multi-factor authentication (MFA) by submitting a crafted login request. The issue is cataloged under CWE-1390 and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N), indicating high severity with network accessibility, high attack complexity, and significant impacts on confidentiality and integrity.

A remote attacker possessing valid low-privilege credentials, such as those of a legitimate user, can exploit this vulnerability without user interaction. The attack requires crafting a malicious login request to the OAuth endpoint, successfully circumventing MFA controls. Upon success, the attacker achieves expanded scope access to the server, enabling high-level unauthorized data exposure and modification, though availability remains unaffected.

Devolutions has published security advisory DEVO-2026-0010 at https://devolutions.net/security/advisories/DEVO-2026-0010, which details mitigation strategies and available patches for affected versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an improper authentication flaw in the OAuth login of a publicly accessible server, directly enabling remote attackers with valid credentials to bypass MFA and gain unauthorized access. This matches the definition of exploiting a public-facing application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4924Same product: Devolutions Devolutions Server
CVE-2026-3204Same product: Devolutions Devolutions Server
CVE-2026-1007Same product: Devolutions Devolutions Server
CVE-2026-0610Same product: Devolutions Devolutions Server
CVE-2025-2280Same product: Devolutions Devolutions Server
CVE-2026-3224Same product: Devolutions Devolutions Server
CVE-2025-2277Same product: Devolutions Devolutions Server
CVE-2025-2003Same product: Devolutions Devolutions Server
CVE-2026-3130Same product: Devolutions Devolutions Server
CVE-2026-4434Same product: Devolutions Devolutions Server

Affected Assets

devolutions
devolutions server
≤ 2025.3.18.0 · 2026.1.1.0 — 2026.1.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper authentication flaw in Devolutions Server's OAuth login by applying vendor patches to versions later than 2026.1.11.

prevent

Ensures organizational users are identified and authenticated using robust mechanisms including MFA, preventing bypass via crafted OAuth login requests.

detect

Generates audit records for authentication events in OAuth login, enabling detection of unauthorized MFA bypass attempts.

References