CVE-2026-3224 | Authentication bypass in the Microsoft Entra ID (Azure AD) a… | CVSS 9.8 CRITICAL

Description

Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).

Metadata

CVE ID: CVE-2026-3224
State: PUBLISHED
Assigner: DEVOLUTIONS
Reserved: 2026-02-25 18:56 UTC
Published: 2026-03-03 21:21 UTC
Last updated: 2026-03-04 14:43 UTC
Primary CWE: CWE-287
CWE-287 Improper Authentication, CWE-347: Improper Verificat…
Vendor / Product: Devolutions / Server
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Devolutions	Server	—	0 ≤ 2025.3.15.0

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	CWE-287 Improper Authentication, CWE-347: Improper Verification of Cryptographic Signature

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

https://devolutions.net/security/advisories/DEVO-2026-0005/