Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable API mandates PR:L for the AI Agent read role; C:H reflects reusable high-privilege token exposure with no integrity or availability impact.
Primary rating from Vendor (DEVOLUTIONS).
CVSS VectorVendor: DEVOLUTIONS
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.
AnalysisAI
Devolutions PowerShell Universal 2026.2.0 leaks serialized App Tokens in plaintext within AI Agent job API responses, enabling authenticated privilege escalation through token theft and replay. An authenticated user holding only AI Agent read access - a lower-privileged role - can extract reusable App Tokens that may carry significantly higher privileges than their own account, effectively bypassing the intended access control boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid user account with AI Agent read access within PowerShell Universal 2026.2.0 - unauthenticated exploitation is not possible per the CVSS PR:L rating. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects the attack profile: network-reachable, low complexity, but requiring authenticated access with at least the AI Agent read role. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged account bearing AI Agent read access authenticates to PowerShell Universal 2026.2.0 and issues queries to the AI Agent job API endpoint. The API responses contain serialized App Tokens in plaintext; the attacker extracts these tokens and replays them against other PowerShell Universal REST API endpoints, gaining access at the privilege level of the token owner - potentially full administrative control. … |
| Remediation | Apply the vendor-issued fix described in the Devolutions security advisory DEVO-2026-0022 at https://devolutions.net/security/advisories/DEVO-2026-0022/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Powershell Universal
View allThe API endpoints in Ironman PowerShell Universal 3.0.0 through 4.2.0 allow remote attackers to execute arbitrary comman
Escalation of privileges in the Web Server in Ironman Software PowerShell Universal 2.x and 3.x allows an attacker with
PowerShell Universal before version 2026.1.4 contains insufficient authorization validation on gRPC endpoints, allowing
The Web Server in Ironman Software PowerShell Universal v3.x and v2.x allows for directory traversal outside of the conf
authentication configuration in PowerShell Universal versions up to 2026.1.3 is affected by cleartext storage of sensit
PowerShell Universal versions before 4.5.6 and 5.6.13 contain a stored cross-site scripting vulnerability that allows un
PowerShell Universal versions before 2026.1.4 contain an improper input validation vulnerability in the apps and endpoin
Unauthenticated remote access to user-defined REST endpoint OpenAPI specifications is possible in Devolutions PowerShell
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40127
GHSA-fw4j-fj8v-q67w