Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Unauthorized access to Devolutions Server with Azure AD authentication
CVE-2026-3224
Summary
If you're using Azure AD authentication with Devolutions Server, a security issue allows someone to log in as any user without a password. This is a serious issue because it means an attacker could gain access to your server and data. To fix this, update to the latest version of Devolutions Server.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| devolutions | devolutions_server | <= 2025.3.16.0 | – |
Original title
Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID ...
Original description
Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
nvd CVSS3.1
9.8
Vulnerability type
CWE-287
Improper Authentication
- https://devolutions.net/security/advisories/DEVO-2026-0005/ Vendor Advisory
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026