cbcvebase.

Devolutions Powershell Universal vulnerabilities

6 known vulnerabilities affecting devolutions/powershell_universal.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2026-4064P3HIGHCVSS 8.3≥ 2026.1.0, < 2026.1.42026-03-17
CVE-2026-4064 [HIGH] CWE-862 CVE-2026-4064: Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026. Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026.1.4 allows an authenticated user with any valid token to bypass role-based access controls and perform privileged operations — including reading sensitive data, creating or deleting resources, and disrupting service operations — via crafted gRPC requests.
nvd
CVE-2026-3277P3MEDIUMCVSS 6.5fixed in 2026.1.32026-02-27
CVE-2026-3277 [MEDIUM] CWE-312 CVE-2026-3277: The OpenID Connect (OIDC) authentication configuration in PowerShell Universal before 2026.1.3 stor The OpenID Connect (OIDC) authentication configuration in PowerShell Universal before 2026.1.3 stores the OIDC client secret in cleartext in the .universal/authentication.ps1 script, which allows an attacker with read access to that file to obtain the OIDC client credentials
nvd
CVE-2026-13437P3MEDIUMCVSS 6.5v2026.2.02026-06-29
CVE-2026-13437 [MEDIUM] CWE-201 CVE-2026-13437: Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.
nvd
CVE-2026-8694P4MEDIUMCVSS 5.3≤ 2026.1.72026-06-12
CVE-2026-8694 [MEDIUM] CWE-306 CVE-2026-8694: Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthent Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.
nvd
CVE-2026-3563P4MEDIUMCVSS 5.5≥ 2026.1.0, < 2026.1.42026-03-17
CVE-2026-3563 [MEDIUM] CWE-1289 CVE-2026-3563: Improper input validation in the apps and endpoints configuration in PowerShell Universal before 202 Improper input validation in the apps and endpoints configuration in PowerShell Universal before 2026.1.4 allows an authenticated user with permissions to create or modify Apps or Endpoints to override existing application or system routes, resulting in unintended request routing and denial of service via a conflicting URL path.
nvd
CVE-2026-0618P4MEDIUMCVSS 6.1fixed in 5.6.13fixed in 4.5.62026-01-07
CVE-2026-0618 [MEDIUM] CWE-79 CVE-2026-0618: Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13.
nvd
Devolutions Powershell Universal vulnerabilities | cvebase