CVE-2026-4927 PUBLISHED

Assigner: DEVOLUTIONS
Reserved: 26.03.2026 Published: 01.04.2026 Updated: 01.04.2026

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.

This issue affects Server: from 2026.1.6 through 2026.1.11.

Product Status

Vendor	Devolutions
Product	Server
Versions	Default: unaffected affected from 2026.1.6 to 2026.1.11 (incl.)

References

https://devolutions.net/security/advisories/DEVO-2026-0010

Problem Types

CWE-201 Insertion of sensitive information into sent data CWE