CVE-2026-3224 | THREATINT

Description

Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).

PUBLISHED Reserved 2026-02-25 | Published 2026-03-03 | Updated 2026-03-03 | Assigner DEVOLUTIONS

Problem types

CWE-287 Improper Authentication, CWE-347: Improper Verification of Cryptographic Signature

Product status

Default status

unaffected

Any version

affected

References

devolutions.net/security/advisories/DEVO-2026-0005/

cve.org (CVE-2026-3224)

nvd.nist.gov (CVE-2026-3224)

Download JSON