What the vulnerability does

01Description

Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.

Key dates

02Disclosure timeline

April 1, 2026 CVE published
April 1, 2026 Record updated