CRITICALđŸ‡”đŸ‡± Wersja polska

CVE-2026-3130

CVSS 9.8v3.1pub. 2026-03-03upd. 2026-03-04

Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.

đŸ€– AI Analysis
How it works

The behavioral control mechanism (CWE-841) is not properly enforced during bulk deletion operations. An attacker with account deletion privileges can simultaneously select a PAM account currently checked out along with at least one unchecked account, then perform the bulk deletion operation. The system incorrectly allows the entire operation, failing to block deletion of an account in active use.

Impact

An attacker can permanently delete a PAM account actively used by another user, which may interrupt ongoing privileged sessions, destroy authentication credentials, and compromise the integrity and availability of the privileged access management system.

Mitigation & patch

Update Devolutions Server to a version newer than 2025.3.15. Detailed information about available patches can be found in the official vendor security advisory: https://devolutions.net/security/advisories/DEVO-2026-0005

Who is affected

Devolutions Server version 2025.3.15 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Devolutions Server

    APP
    Devolutions
    < 2025.3.16.0
đŸ””
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-3204CRITICAL9.8PL ✓ten sam produkt

Devolutions Server — spoofing komunikatu bƂędu przez nieprawidƂową walidację danych wejƛciowych

CVE-2026-3224CRITICAL9.8PL ✓ten sam produkt

Authentication bypass w Devolutions Server przez sfaƂszowany JWT (Entra ID)

CVE-2026-0610CRITICAL9.8PL ✓ten sam produkt

SQL Injection w module remote-sessions Devolutions Server

CVE-2025-11957CRITICAL9.0PL ✓ten sam produkt

Devolutions Server – nieautoryzowane zatwierdzanie wniosków o dostęp tymczasowy

CVE-2025-6523CRITICAL9.5PL ✓ten sam produkt

Devolutions Server – pominięcie uwierzytelnienia przez brute force kodów awaryjnych

CVE-2026-3130 — Devolutions — Devolutions Server — CRITICAL — CVSS 9.8 | CVEbaza.pl