Vulnerability Details CVE-2026-5175
Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.
This issue affects Server: from 2026.1.6 through 2026.1.11.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.9%
CVSS Severity
CVSS v3 Score 5.0
Products affected by CVE-2026-5175
-
cpe:2.3:a:devolutions:devolutions_server:*