CVE-2026-9047
published 2026-05-22CVE-2026-9047: Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's…
PriorityP348high7.6CVSS 3.1
AVNACLPRLUIRSUCHIHAL
EPSS
0.21%
11.9th percentile
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devolutions | devolutions_server | >= 2026.1.6.0 < 2026.1.19.0 | 2026.1.19.0 |
| devolutions | server | 2026.1.6.0 – 2026.1.16.0 | — |
CVSS provenance
nvdv3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
cvelistv5v3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6h3w-2xh7-wr95: Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of
ghsa_unreviewed·2026-05-26
CVE-2026-9047 [HIGH] CWE-305 GHSA-6h3w-2xh7-wr95: Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
VulDB
Devolutions Server up to 2026.1.16.0 authentication bypass (DEVO-2026-0013 / EUVD-2026-31450)
vuldb·2026-05-22
CVE-2026-9047 [CRITICAL] Devolutions Server up to 2026.1.16.0 authentication bypass (DEVO-2026-0013 / EUVD-2026-31450)
A vulnerability, which was classified as critical, has been found in Devolutions Server up to 2026.1.16.0. This affects an unknown function. The manipulation leads to authentication bypass by primary weakness.
This vulnerability is traded as CVE-2026-9047. It is possible to initiate the attack remotely. There is no exploit available.
CVEList
CVE-2026-9047: Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of
cvelistv5·2026-05-22·CVSS 7.6
CVE-2026-9047 [HIGH] CWE-305 CVE-2026-9047: Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors.
This issue affects :
* Devolutions Server 2026.1.6.0 through 2026.1.16.0
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published