Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Devolutions Server: Attackers can delete PAM account in bulk
CVE-2026-3130
Summary
An attacker with the delete permission on Devolutions Server can delete a PAM account that's currently in use by deleting it along with other accounts. This can happen if an attacker has permission to delete multiple accounts at once. To fix this, update to a version of Devolutions Server that's not vulnerable.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| devolutions | devolutions_server | <= 2025.3.16.0 | – |
Original title
Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked...
Original description
Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.
nvd CVSS3.1
9.8
Vulnerability type
CWE-841
- https://devolutions.net/security/advisories/DEVO-2026-0005 Vendor Advisory
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026