Vulnerability Details CVE-2026-14536
Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 7.7%
CVSS Severity
CVSS v3 Score 8.8
Products affected by CVE-2026-14536
-
cpe:2.3:a:devolutions:devolutions_server:2026.2.4.0
-
cpe:2.3:a:devolutions:devolutions_server:2026.2.5.0
-
cpe:2.3:a:devolutions:devolutions_server:2026.2.7.0
-
cpe:2.3:a:devolutions:devolutions_server:2026.2.9.0