{"api_version":"1","generated_at":"2026-04-22T17:47:53+00:00","cve":"CVE-2026-4927","urls":{"html":"https://cve.report/CVE-2026-4927","api":"https://cve.report/api/cve/CVE-2026-4927.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-4927","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-4927"},"summary":{"title":"CVE-2026-4927","description":"Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.\n\n\n\nThis issue affects Server: from 2026.1.6 through 2026.1.11.","state":"PUBLISHED","assigner":"DEVOLUTIONS","published_at":"2026-04-01 16:23:51","updated_at":"2026-04-03 19:14:03"},"problem_types":["CWE-201","CWE-201 CWE-201 Insertion of sensitive information into sent data"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://devolutions.net/security/advisories/DEVO-2026-0010","name":"https://devolutions.net/security/advisories/DEVO-2026-0010","refsource":"security@devolutions.net","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-4927","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4927","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Devolutions","product":"Server","version":"affected 2026.1.6 2026.1.11 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"4927","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"devolutions","cpe5":"devolutions_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"4927","cve":"CVE-2026-4927","epss":"0.000360000","percentile":"0.106210000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-4927","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-01T19:26:40.599076Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-01T19:26:56.487Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Server","vendor":"Devolutions","versions":[{"lessThanOrEqual":"2026.1.11","status":"affected","version":"2026.1.6","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><div>Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.</div></div><p>This issue affects Server: from 2026.1.6 through 2026.1.11.</p>"}],"value":"Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.\n\n\n\nThis issue affects Server: from 2026.1.6 through 2026.1.11."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-201","description":"CWE-201 Insertion of sensitive information into sent data","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-01T14:54:45.806Z","orgId":"bfee16bd-18e6-446c-9a65-f5b2e3d89c23","shortName":"DEVOLUTIONS"},"references":[{"url":"https://devolutions.net/security/advisories/DEVO-2026-0010"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"bfee16bd-18e6-446c-9a65-f5b2e3d89c23","assignerShortName":"DEVOLUTIONS","cveId":"CVE-2026-4927","datePublished":"2026-04-01T14:54:45.806Z","dateReserved":"2026-03-26T18:39:49.096Z","dateUpdated":"2026-04-01T19:26:56.487Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-01 16:23:51","lastModifiedDate":"2026-04-03 19:14:03","problem_types":["CWE-201","CWE-201 CWE-201 Insertion of sensitive information into sent data"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2026.1.6.0","versionEndExcluding":"2026.1.12.0","matchCriteriaId":"C03E8B95-397C-465C-BE01-810DC9852675"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"4927","Ordinal":"1","Title":"CVE-2026-4927","CVE":"CVE-2026-4927","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"4927","Ordinal":"1","NoteData":"Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.\n\n\n\nThis issue affects Server: from 2026.1.6 through 2026.1.11.","Type":"Description","Title":"CVE-2026-4927"}]}}}