PT-2026-22830 · Microsoft+1 · Azure Ad+2
Truff5.1
·
Published
2026-03-03
·
Updated
2026-03-04
·
CVE-2026-3224
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Devolutions Server versions 2025.3.15.0 and earlier
Description
An authentication bypass exists in the Microsoft Entra ID (Azure AD) authentication mode. An unauthenticated user can authenticate as an arbitrary Entra ID user by using a forged JSON Web Token (JWT). The issue affects the
/api/v1/login endpoint, where a malicious actor can manipulate the JWT parameter to gain unauthorized access.Recommendations
Versions prior to 2025.3.15.0 should be updated.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Azure Ad
Devolutions Server
Entra Id