CVE-2026-3130
Improper Access Control in Devolutions Server Allows Unauthorized PAM Account Deletion
Publication date: 2026-03-03
Last updated on: 2026-03-04
Assigner: Devolutions Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devolutions | devolutions_server | to 2025.3.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-841 | The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Devolutions Server version 2025.3.15 and earlier. It involves improper enforcement of behavioral controls that allows an authenticated attacker who has delete permissions to delete a privileged access management (PAM) account that is currently checked out. The attacker can do this by selecting the checked-out account along with at least one non-checked-out account and performing a bulk deletion.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with delete permissions to remove PAM accounts that are currently in use (checked out). This could disrupt access management processes, potentially leading to loss of control over privileged accounts, interruption of services, or unauthorized deletion of critical account information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know