{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3130", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "state": "PUBLISHED", "assignerShortName": "DEVOLUTIONS", "dateReserved": "2026-02-24T16:52:01.769Z", "datePublished": "2026-03-03T21:27:38.891Z", "dateUpdated": "2026-03-04T14:45:47.873Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Server", "vendor": "Devolutions", "versions": [{"lessThan": "2025.3.16", "status": "affected", "version": "0", "versionType": "0"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Enforcement of Behavioral Controls in&nbsp;Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.</p>"}], "value": "Improper Enforcement of Behavioral Controls in\u00a0Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-841", "description": "CWE-841: Improper Enforcement of Behavioral Workflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-03-03T21:27:38.891Z"}, "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0005"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T14:45:32.668018Z", "id": "CVE-2026-3130", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T14:45:47.873Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3130", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-04T14:45:32.668018Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T14:45:44.007Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Devolutions", "product": "Server", "versions": [{"status": "affected", "version": "0", "lessThan": "2025.3.16", "versionType": "0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://devolutions.net/security/advisories/DEVO-2026-0005"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Enforcement of Behavioral Controls in\u00a0Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Enforcement of Behavioral Controls in&nbsp;Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-841", "description": "CWE-841: Improper Enforcement of Behavioral Workflow"}]}], "providerMetadata": {"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "shortName": "DEVOLUTIONS", "dateUpdated": "2026-03-03T21:27:38.891Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3130", "state": "PUBLISHED", "dateUpdated": "2026-03-04T14:45:47.873Z", "dateReserved": "2026-02-24T16:52:01.769Z", "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23", "datePublished": "2026-03-03T21:27:38.891Z", "assignerShortName": "DEVOLUTIONS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A29A5DF-C6FB-4E5C-A0B2-7C04472C9DF2", "versionEndExcluding": "2025.3.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Enforcement of Behavioral Controls in\u00a0Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion."}], "id": "CVE-2026-3130", "lastModified": "2026-03-04T20:36:33.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-03T22:16:29.280", "references": [{"source": "security@devolutions.net", "tags": ["Vendor Advisory"], "url": "https://devolutions.net/security/advisories/DEVO-2026-0005"}], "sourceIdentifier": "security@devolutions.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-841"}], "source": "security@devolutions.net", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2025.3.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Server", "source": "cna", "vendor": "Devolutions"}, "product": "server", "vendor": "devolutions"}], "analysis": {"en": {"generated_at": "2026-04-17T13:19:55.767844+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Devolutions Server version that is newer than 2025.3.15.", "Revoke delete privileges from users who should not delete PAM accounts, limiting the permission to administrators only.", "Disable or restrict the bulk delete functionality for checked\u2011out accounts through configuration or policy."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized PAM account deletion"}, "threat_synthesis": {"affected_systems": "Devolutions Server, version 2025.3.15 and earlier. The vulnerability affects all deployments of Devolutions Server running the specified releases, regardless of deployment size or configuration.", "description_and_impact": "An authenticated user with delete permission can delete a PAM account that is currently checked out by combining it with at least one non\u2011checked\u2011out account in a bulk delete operation. This flaw permits unauthorized account removal, compromising the integrity of user access and potentially disrupting active sessions. The weakness arises from improper enforcement of behavioral controls, classified as CWE-841.", "risk_and_exploitability": "The flaw carries a CVSS 9.8 score and a very low EPSS (<1%), indicating a critical severity but a low probability of public exploitation. It is not listed in the CISA KEV catalog. The attacker must be authenticated and possess delete rights, but once those conditions are met, the vulnerability is trivial to exploit by initiating a bulk deletion that targets a checked\u2011out account. The impact is the unintended loss of critical PAM accounts and potential service disruption."}}}}, "created": "2026-03-04T14:53:44.699689+00:00", "title": "Authenticated Users Can Delete Checked\u2011Out PAM Accounts via Bulk Delete", "updated": "2026-04-17T13:30:19.595393+00:00", "vendors": ["devolutions", "devolutions$PRODUCT$server"]}