{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4927", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-03-26T18:39:49.096Z", "datePublished": "2026-04-01T14:54:45.806Z", "dateUpdated": "2026-04-01T19:26:56.487Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-04-01T14:54:45.806Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-201", "description": "CWE-201 Insertion of sensitive information into sent data", "type": "CWE"}]}], "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "2026.1.6", "lessThanOrEqual": "2026.1.11", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.\n\n\n\nThis issue affects Server: from 2026.1.6 through 2026.1.11.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div>Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.</div></div><p>This issue affects Server: from 2026.1.6 through 2026.1.11.</p>"}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T19:26:40.599076Z", "id": "CVE-2026-4927", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:26:56.487Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4927", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T19:26:40.599076Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:26:52.703Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "2026.1.6", "versionType": "custom", "lessThanOrEqual": "2026.1.11"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.\n\n\n\nThis issue affects Server: from 2026.1.6 through 2026.1.11.", "supportingMedia": [{"type": "text/html", "value": "<div><div>Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.</div></div><p>This issue affects Server: from 2026.1.6 through 2026.1.11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201 Insertion of sensitive information into sent data"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-04-01T14:54:45.806Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4927", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:26:56.487Z", "dateReserved": "2026-03-26T18:39:49.096Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-04-01T14:54:45.806Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "C03E8B95-397C-465C-BE01-810DC9852675", "versionEndExcluding": "2026.1.12.0", "versionStartIncluding": "2026.1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.\n\n\n\nThis issue affects Server: from 2026.1.6 through 2026.1.11."}], "id": "CVE-2026-4927", "lastModified": "2026-04-03T19:14:03.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T16:23:51.870", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0010"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.6,2026.1.11]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Server", "source": "cna", "vendor": "Devolutions"}, "product": "server", "vendor": "devolutions"}], "analysis": {"en": {"generated_at": "2026-04-03T22:36:41.649198+00:00", "value": {"mitigation_remediation": ["Upgrade Devolutions Server to version 2026.1.12 or later, or apply the vendor\u2011issued patch that corrects API access to OTP keys.", "If an upgrade is not immediately possible, remove or restrict user\u2011management privileges for accounts that do not require them, thereby limiting the ability to request other users\u2019 OTP keys.", "Monitor audit logs for anomalous OTP key retrieval requests, and enforce strict logging of privileged actions.", "Consider disabling or limiting the exposure of OTP keys through application configuration until a remediation is achieved."], "summary": {"action": "Patch Now", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The flaw affects Devolutions Server versions 2026.1.6 through 2026.1.11. Users of these releases should verify whether they are running an impacted build and assess the presence of user\u2011management role assignments.", "description_and_impact": "An authenticated API in Devolutions Server allows users with user\u2011management privileges to retrieve other users\u2019 one\u2011time password (OTP) keys, exposing the secrets that protect multi\u2011factor authentication. The vulnerability, classified as CWE\u2011201, compromises the confidentiality of MFA credentials and enables attackers who obtain such keys to perform account takeovers or bypass two\u2011factor protections. The attack does not directly grant code execution or denial of service, but it removes a critical layer of security.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate to high severity. Because exploitation requires legitimate, privileged user access, the EPSS score is below 1\u202f%, suggesting a low probability of widespread, automated attacks. The vulnerability is not listed in the CISA KEV catalog. Nevertheless, compromised OTP keys can lead to full account compromise, so the risk remains substantial for any system where malicious or compromised privileged users exist."}}}}, "created": "2026-04-02T07:49:02.015094+00:00", "updated": "2026-04-07T08:07:34.556592+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$server"]}