Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.
History

Tue, 14 Jul 2026 08:00:00 +0000

Type Values Removed Values Added
Title Devolutions Server MFA Enforcement Bypass
Weaknesses CWE-284
CWE-639

Mon, 13 Jul 2026 11:15:00 +0000

Type Values Removed Values Added
Title Devolutions Server MFA Enforcement Bypass
Weaknesses CWE-284
CWE-639

Sun, 12 Jul 2026 08:45:00 +0000

Type Values Removed Values Added
Title Improper MFA Enforcement Allows Authentication Bypass in Devolutions Server
Weaknesses CWE-287

Sat, 11 Jul 2026 05:15:00 +0000

Type Values Removed Values Added
Title Improper MFA Enforcement Allows Authentication Bypass in Devolutions Server
Weaknesses CWE-287

Fri, 10 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
Title MFA Bypass Allows Authentication Without Second Factor in Devolutions Server
Weaknesses CWE-287

Fri, 10 Jul 2026 02:15:00 +0000

Type Values Removed Values Added
Title MFA Bypass Allows Authentication Without Second Factor in Devolutions Server
Weaknesses CWE-287

Thu, 09 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Title MFA Enforcement Bypass Allows Authentication Without Multi‑Factor Confirmation in Devolutions Server 2026.2.9.0
Weaknesses CWE-285

Wed, 08 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Title MFA Enforcement Bypass Allows Authentication Without Multi‑Factor Confirmation in Devolutions Server 2026.2.9.0
Weaknesses CWE-285

Wed, 08 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
Title MFA Enforcement Bypass in Devolutions Server 2026.2.9.0
Weaknesses CWE-285

Tue, 07 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Title MFA Enforcement Bypass in Devolutions Server 2026.2.9.0
Weaknesses CWE-285

Mon, 06 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Mon, 06 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published: 2026-07-06T19:23:21.459Z

Updated: 2026-07-09T15:01:21.700Z

Reserved: 2026-07-03T00:08:05.267Z

Link: CVE-2026-14536

cve-icon Vulnrichment

Updated: 2026-07-07T14:00:31.458Z

cve-icon NVD

No data.

cve-icon Redhat

No data.