Description
Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.
Published: 2026-03-03
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized PAM account deletion
Action: Patch Immediately
AI Analysis

Impact

An authenticated user with delete permission can delete a PAM account that is currently checked out by combining it with at least one non‑checked‑out account in a bulk delete operation. This flaw permits unauthorized account removal, compromising the integrity of user access and potentially disrupting active sessions. The weakness arises from improper enforcement of behavioral controls, classified as CWE-841.

Affected Systems

Devolutions Server, version 2025.3.15 and earlier. The vulnerability affects all deployments of Devolutions Server running the specified releases, regardless of deployment size or configuration.

Risk and Exploitability

The flaw carries a CVSS 9.8 score and a very low EPSS (<1%), indicating a critical severity but a low probability of public exploitation. It is not listed in the CISA KEV catalog. The attacker must be authenticated and possess delete rights, but once those conditions are met, the vulnerability is trivial to exploit by initiating a bulk deletion that targets a checked‑out account. The impact is the unintended loss of critical PAM accounts and potential service disruption.

Generated by OpenCVE AI on April 17, 2026 at 13:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Devolutions Server version that is newer than 2025.3.15.
  • Revoke delete privileges from users who should not delete PAM accounts, limiting the permission to administrators only.
  • Disable or restrict the bulk delete functionality for checked‑out accounts through configuration or policy.

Generated by OpenCVE AI on April 17, 2026 at 13:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Title Authenticated Users Can Delete Checked‑Out PAM Accounts via Bulk Delete

Wed, 04 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions devolutions Server
CPEs cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Vendors & Products Devolutions devolutions Server

Wed, 04 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions server
Vendors & Products Devolutions
Devolutions server

Tue, 03 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.
Weaknesses CWE-841
References

Subscriptions

Devolutions Devolutions Server Server
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-03-04T14:45:47.873Z

Reserved: 2026-02-24T16:52:01.769Z

Link: CVE-2026-3130

cve-icon Vulnrichment

Updated: 2026-03-04T14:45:44.007Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T22:16:29.280

Modified: 2026-03-04T20:36:33.843

Link: CVE-2026-3130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:30:19Z

Weaknesses