CVE-2026-5175 Overview
CVE-2026-5175 is an improper access control vulnerability in the multi-factor authentication (MFA) management API in Devolutions Server. This security flaw allows an authenticated attacker to delete their own configured MFA factors through crafted HTTP requests, effectively reducing account protection to password-only authentication. The vulnerability represents a significant weakness in access control mechanisms that could undermine the security posture of organizations relying on MFA for account protection.
Critical Impact
Authenticated attackers can bypass MFA protection by deleting their configured MFA factors, downgrading account security to single-factor (password-only) authentication and potentially facilitating further account compromise.
Affected Products
- Devolutions Server versions 2026.1.6 through 2026.1.11
Discovery Timeline
- April 1, 2026 - CVE-2026-5175 published to NVD
- April 1, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5175
Vulnerability Analysis
This vulnerability stems from improper access control (CWE-862: Missing Authorization) in the MFA management API endpoint within Devolutions Server. The flaw allows authenticated users to manipulate their own MFA configuration in ways that should not be permitted by the application's security model.
The vulnerability enables an attacker who has already authenticated to the system to craft specific HTTP requests targeting the MFA management API. These requests can successfully delete configured MFA factors from the attacker's own account. While this affects only the attacker's own account, the implications are significant in scenarios where MFA is mandatory by organizational policy or where an attacker has obtained initial access through compromised credentials.
The attack requires network access and valid authentication credentials, but does not require any user interaction or elevated privileges beyond a standard authenticated session. The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component's security scope.
Root Cause
The root cause is missing authorization checks (CWE-862) in the MFA management API. The API endpoint responsible for managing MFA factors fails to properly validate whether the requesting user should be permitted to delete MFA configurations. This missing authorization check allows any authenticated user to remove their MFA factors regardless of organizational policies that may mandate MFA usage.
Attack Vector
The attack is network-based and requires the attacker to have valid authentication credentials for a Devolutions Server account. The attack flow involves:
- Authenticating to Devolutions Server with valid credentials
- Crafting malicious HTTP requests targeting the MFA management API endpoint
- Submitting requests to delete configured MFA factors from the authenticated account
- Successfully reducing account protection from multi-factor to password-only authentication
The vulnerability can be exploited remotely with low attack complexity. Once MFA is disabled, an attacker who has compromised credentials gains persistent access without the additional authentication barrier that MFA provides.
Detection Methods for CVE-2026-5175
Indicators of Compromise
- Unexpected MFA factor deletion events in Devolutions Server audit logs
- API requests to MFA management endpoints that result in factor removal
- User accounts suddenly transitioning from MFA-enabled to password-only status
- Unusual patterns of MFA configuration changes across multiple accounts
Detection Strategies
- Monitor Devolutions Server API logs for requests to MFA management endpoints, particularly DELETE operations
- Implement alerting on MFA factor removal events, especially for accounts subject to mandatory MFA policies
- Review authentication logs for accounts that previously used MFA but are now authenticating with password-only
- Deploy API monitoring solutions to detect anomalous request patterns targeting authentication management endpoints
Monitoring Recommendations
- Enable comprehensive audit logging in Devolutions Server for all MFA-related operations
- Configure SIEM rules to alert on MFA configuration changes, particularly factor deletions
- Establish baseline MFA enrollment metrics and alert on unexpected decreases
- Implement regular compliance checks to verify MFA status for accounts subject to MFA requirements
How to Mitigate CVE-2026-5175
Immediate Actions Required
- Upgrade Devolutions Server to a patched version beyond 2026.1.11 as soon as a fix is available
- Review Devolutions Server audit logs for evidence of unauthorized MFA factor deletions
- Verify MFA status for all user accounts, especially privileged accounts
- Enforce re-enrollment of MFA for any accounts where factors may have been improperly removed
Patch Information
Devolutions has published a security advisory for this vulnerability. Organizations should consult the Devolutions Security Advisory DEVO-2026-0010 for specific patch information and upgrade instructions. Apply the recommended security update to all affected Devolutions Server installations running versions 2026.1.6 through 2026.1.11.
Workarounds
- Implement network-level access controls to restrict access to the Devolutions Server MFA management API endpoints
- Configure web application firewall (WAF) rules to monitor and potentially block suspicious requests to MFA management endpoints
- Implement compensating controls at the network perimeter to limit access to Devolutions Server to trusted IP ranges
- Enhance monitoring of MFA configuration changes and require administrative approval for factor deletions where possible
# Example: Review Devolutions Server version
# Check current installation version and compare against affected range
# Versions 2026.1.6 through 2026.1.11 are vulnerable
# Consult Devolutions documentation for version verification commands
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
