CVE-2026-3130
Published: 03 March 2026
Summary
CVE-2026-3130 is a critical-severity Improper Enforcement of Behavioral Workflow (CWE-841) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Access Removal (T1531); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations, directly addressing the improper enforcement allowing bulk deletion of checked-out PAM accounts.
Mandates access restrictions and validation for change mechanisms like bulk deletions, preventing bypass of checked-out account protections.
Ensures proper management of accounts including conditions for removal, mitigating risks of unauthorized deletions of active checked-out accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly bypasses check-out protections to enable unauthorized deletion of PAM accounts, mapping to Account Access Removal.
NVD Description
Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing…
more
a bulk deletion.
Deeper analysisAI
CVE-2026-3130 is an Improper Enforcement of Behavioral Controls vulnerability (CWE-841) in Devolutions Server versions 2025.3.15 and earlier. Published on 2026-03-03T22:16:29.280, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw enables improper handling of bulk deletions for PAM accounts, bypassing protections for checked-out entries.
An authenticated attacker possessing delete permission can exploit this vulnerability over the network with low complexity and no user interaction. By selecting a currently checked-out PAM account alongside at least one non-checked-out account and initiating a bulk deletion, the attacker can delete the protected checked-out account, potentially leading to high impacts on confidentiality, integrity, and availability.
The Devolutions security advisory DEVO-2026-0005 at https://devolutions.net/security/advisories/DEVO-2026-0005 provides further details on the issue, including recommended mitigations and patches.
Details
- CWE(s)