cbcvebase.
CVE-2026-9047
published 2026-05-22

CVE-2026-9047: Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's…

PriorityP348high7.6CVSS 3.1
AVNACLPRLUIRSUCHIHAL
EPSS
0.21%
11.9th percentile
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors.

This issue affects :

* Devolutions Server 2026.1.6.0 through 2026.1.16.0

Affected

2 ranges
VendorProductVersion rangeFixed in
devolutionsdevolutions_server>= 2026.1.6.0 < 2026.1.19.02026.1.19.0
devolutionsserver2026.1.6.0 – 2026.1.16.0

CVSS provenance

nvdv3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
cvelistv5v3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.