CVE-2026-4927 | THREATINT

Description

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11.

PUBLISHED Reserved 2026-03-26 | Published 2026-04-01 | Updated 2026-04-01 | Assigner DEVOLUTIONS

Problem types

CWE-201 Insertion of sensitive information into sent data

Product status

Default status

unaffected

2026.1.6 (custom)

affected

References

devolutions.net/security/advisories/DEVO-2026-0010

cve.org (CVE-2026-4927)

nvd.nist.gov (CVE-2026-4927)

Download JSON