What the vulnerability does

01Description

Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.

Key dates

02Disclosure timeline

March 3, 2026 CVE published
March 4, 2026 Record updated