CVE-2026-3224 PUBLISHED

Assigner: DEVOLUTIONS
Reserved: 25.02.2026 Published: 03.03.2026 Updated: 04.03.2026

Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).

Product Status

Vendor	Devolutions
Product	Server
Versions	Default: unaffected affected from 0 to 2025.3.15.0 (incl.)

References

https://devolutions.net/security/advisories/DEVO-2026-0005/

Problem Types

CWE-287 Improper Authentication, CWE-347: Improper Verification of Cryptographic Signature CWE