CVE-2026-3130
Published: 03 March 2026
Summary
CVE-2026-3130 is a critical-severity Improper Enforcement of Behavioral Workflow (CWE-841) vulnerability in Devolutions Devolutions Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Access Removal (T1531); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Deeper analysis
CVE-2026-3130 is an Improper Enforcement of Behavioral Controls vulnerability (CWE-841) in Devolutions Server versions 2025.3.15 and earlier. Published on 2026-03-03T22:16:29.280, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw enables improper handling of bulk deletions for PAM accounts, bypassing protections for checked-out entries.
An authenticated attacker possessing delete permission can exploit this vulnerability over the network with low complexity and no user interaction. By selecting a currently checked-out PAM account alongside at least one non-checked-out account and initiating a bulk deletion, the attacker can delete the protected checked-out account, potentially leading to high impacts on confidentiality, integrity, and availability.
The Devolutions security advisory DEVO-2026-0005 at https://devolutions.net/security/advisories/DEVO-2026-0005 provides further details on the issue, including recommended mitigations and patches.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9336
Vulnerability details
Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing…
more
a bulk deletion.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly bypasses check-out protections to enable unauthorized deletion of PAM accounts, mapping to Account Access Removal.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires enforcement of approved authorizations, directly addressing the improper enforcement allowing bulk deletion of checked-out PAM accounts.
Mandates access restrictions and validation for change mechanisms like bulk deletions, preventing bypass of checked-out account protections.
Ensures proper management of accounts including conditions for removal, mitigating risks of unauthorized deletions of active checked-out accounts.