wid-sec-w-2026-0958 · Published 2026-04-01 · View on BSI CERT-Bund ↗

Devolutions Server: Multiple Vulnerabilities

CVSS 8.2 HIGH

Risk Summary

Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.

CVEs (7)

CVE-2026-4829 CVE-2026-4828 CVE-2026-4924 CVE-2026-4927 CVE-2026-4925 CVE-2026-5175 CVE-2026-4989

Affected Vendors

Devolutions

Affected Products (4)

Devolutions · Server <2026.1.12.0

Devolutions · Server 2026.1.12.0

Devolutions · Server <2025.3.18

Devolutions · Server 2025.3.18

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more