Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.
History

Wed, 08 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Title MFA Enforcement Bypass Allows Authentication Without Multi‑Factor Confirmation in Devolutions Server 2026.2.9.0
Weaknesses CWE-285

Wed, 08 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
Title MFA Enforcement Bypass in Devolutions Server 2026.2.9.0
Weaknesses CWE-285

Tue, 07 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Title MFA Enforcement Bypass in Devolutions Server 2026.2.9.0
Weaknesses CWE-285

Mon, 06 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Mon, 06 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an invalid default MFA value.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published: 2026-07-06T19:23:21.459Z

Updated: 2026-07-06T19:23:21.459Z

Reserved: 2026-07-03T00:08:05.267Z

Link: CVE-2026-14536

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.