VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 9 CVEs

Devolutions Server: Nine CVEs Disclosed in Single Advisory — MFA Bypass, Auth Flaws, and Access Control Gaps

Devolutions patched nine vulnerabilities in its Server product on May 22, 2026, including a high-severity MFA bypass (CVE-2026-9047) and an AD authentication relay flaw (CVE-2026-7325), across versions 2025.3.20.0 and earlier through 2026.1.16.0.

Key findings

  • CVE-2026-9047 (CVSS 7.6) allows MFA bypass after a user reconfigures their factors — password compromise alone is enough
  • CVE-2026-7325 (CVSS 7.1) lets low-privileged users relay AD authentication to an attacker-controlled server
  • CVE-2026-9251 bypasses the Pending Approval workflow, giving non-admins access to entry data
  • CVE-2026-8477 lets sealed-entry data be retrieved silently without triggering audit notifications
  • CVE-2026-9249 enables password changes without providing the current password
  • All nine CVEs affect Devolutions Server 2026.1.16.0 and earlier; patched in a single update

Devolutions released a coordinated security update on May 22, 2026, addressing nine distinct vulnerabilities in Devolutions Server, the company's centralized password and privileged access management platform. The batch spans Low to High severity (CVSSv3 2.7–7.6) and touches nearly every core function — authentication, authorization, multi-factor enforcement, vault management, and Active Directory integration. Affected versions include Devolutions Server 2026.1.6.0 through 2026.1.16.0, with some bugs also impacting the 2025.3.20.0 release line and earlier.

MFA Bypass and Authentication Weaknesses

The most severe vulnerability in the batch is **CVE-2026-9047** (CVSS 7.6, High), an improper handling of factor key state in the multi-factor authentication management feature. An attacker who knows a user's password can bypass that user's MFA entirely after the user reconfigures their authentication factors. Because the flaw resides in how the server tracks factor state across reconfiguration events, a single password compromise can cascade into a full account takeover without the second factor ever being challenged.

**CVE-2026-9249** (CVSS 3.1, Low) is an unverified password change bug that allows an attacker to change a user's password without providing the previous one via a crafted request. This affects versions 2026.1.6.0 through 2026.1.16.0, as well as 2025.3.20.0 and earlier.

**CVE-2026-9245** (CVSS 5.0, Medium) is an open redirect via improper input validation in the external authentication provider flow. An unauthenticated remote attacker can craft a login link that redirects victims to an attacker-controlled domain, making it a credible phishing vector.

Authorization and Access Control Gaps

Several CVEs expose weaknesses in how Devolutions Server enforces permissions across its entry management features.

**CVE-2026-9251** (CVSS 5.4, Medium) allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data by sending a crafted status change request. This undermines one of the product's core governance controls.

**CVE-2026-9246** (CVSS 4.3, Medium) lets an authenticated user with vault read access retrieve the documentation and attachments of *sealed* entries via a crafted API request. Sealed entries are supposed to be locked against viewing, making this a direct bypass of that protection.

**CVE-2026-8477** (CVSS 2.7, Low) is a related sealed-entry workflow flaw: an authenticated user with access to a sealed entry can retrieve its sensitive data without triggering the unseal audit notification. This means the bypass is silent — no audit trail is generated.

**CVE-2026-5171** (CVSS 4.3, Medium) allows an authenticated user with access to an entry but lacking the required permission to retrieve that entry's activity logs via a crafted API request. This is an information disclosure that leaks the audit history of entries the user can see but should not be able to audit.

Vault and Import Feature Flaws

**CVE-2026-9223** (CVSS 4.3, Medium) is a missing authorization check in the vault import feature affecting Devolutions Server 2026.1.16.0 and earlier. A low-privileged authenticated user can create new vaults via a crafted import request — an operation that should require higher privileges.

Active Directory Authentication Relay

**CVE-2026-7325** (CVSS 7.1, High) is an improper authorization flaw in the Active Directory browsing feature. A low-privileged authenticated user can obtain authentication material associated with a stored PAM provider service account by relaying authentication to an attacker-controlled server. This is particularly dangerous in enterprise deployments where Devolutions Server is the hub for privileged account management across the domain.

Patch Status and Mitigations

Devolutions addressed the full batch in a single update. Users running Devolutions Server 2026.1.16.0 or earlier — including the 2025.3.20.0 line — should upgrade to the latest patched version immediately. The vendor's advisory covers all nine CVEs, and no in-the-wild exploitation has been publicly reported as of the disclosure date. No workarounds beyond upgrading have been published.

Why This Batch Matters

Devolutions Server is a critical piece of infrastructure for organizations managing privileged credentials at scale. The breadth of this batch — touching MFA, sealed entries, vault creation, AD integration, and audit logging — means that even low-severity bugs like CVE-2026-8477 (silent unseal without audit) erode the trust model that PAM products are built on. The two High-severity flaws, CVE-2026-9047 (MFA bypass) and CVE-2026-7325 (AD credential relay), are the ones that demand the most urgent attention from security teams.

AI-written article. Grounded in 9 CVE records listed below.