Truff5.1

**Name of the Vulnerable Software and Affected Versions** Devolutions Server versions 2025.3.15.0 and earlier **Description** An authentication bypass exists in the Microsoft Entra ID (Azure AD) authentication mode. An unauthenticated user can authenticate as an arbitrary Entra ID user by using a forged JSON Web Token (JWT). The issue affects the `/api/v1/login` endpoint, where a malicious actor can manipulate the `JWT` parameter to gain unauthorized access. **Recommendations** Versions prior to 2025.3.15.0 should be updated.