Skip to main content

Powershell Universal CVE-2026-3563

| EUVDEUVD-2026-12636 MEDIUM
Improper Validation of Unsafe Equivalence in Input (CWE-1289)
2026-03-17 DEVOLUTIONS
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.1.4
EUVD ID Assigned
Mar 17, 2026 - 20:30 euvd
EUVD-2026-12636
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
CVE Published
Mar 17, 2026 - 19:15 nvd
MEDIUM 5.5

DescriptionCVE.org

Improper input validation in the apps and endpoints configuration in PowerShell Universal before 2026.1.4 allows an authenticated user with permissions to create or modify Apps or Endpoints to override existing application or system routes, resulting in unintended request routing and denial of service via a conflicting URL path.

AnalysisAI

PowerShell Universal versions before 2026.1.4 contain an improper input validation vulnerability in the apps and endpoints configuration system that allows authenticated users with creation or modification permissions to inject malicious URL paths that override existing application or system routes. This vulnerability can result in unintended request routing where legitimate traffic is redirected to attacker-controlled endpoints, as well as denial of service conditions through route conflicts. The vulnerability requires high-level authentication privileges (PR:H) but has been formally documented in the ENISA EUVD database (EUVD-2026-12636) and poses a real risk to multi-tenant PowerShell Universal deployments where administrative controls may not be strictly enforced.

Technical ContextAI

PowerShell Universal (CPE: cpe:2.3:a:devolutions:powershell_universal:*:*:*:*:*:*:*:*) is a web-based framework for managing PowerShell automation endpoints and web applications. The vulnerability stems from CWE-1289 (Improper Validation of Specified Quantity in Input), which relates to the framework's failure to properly validate URL path inputs when administrators or authorized users configure new applications and endpoints. The affected versions (2026.1.0 through 2026.1.3) do not implement sufficient sanitization or collision detection when processing route definitions, allowing an authenticated attacker to craft malicious endpoint configurations that conflict with or override legitimate routing rules. This is a resource management and access control weakness in the configuration layer that permits path traversal-adjacent attacks and route hijacking within the PowerShell Universal routing engine.

RemediationAI

Upgrade PowerShell Universal to version 2026.1.4 or later immediately, as this version includes input validation fixes that prevent route override attacks. Consult the Devolutions security advisory at https://devolutions.net/security/advisories/DEVO-2026-0008 for detailed upgrade procedures and version compatibility notes. Pending patching, implement the following compensating controls: (1) audit and restrict endpoint creation permissions to a minimal set of trusted administrators, (2) implement network-level segmentation to limit which internal services PowerShell Universal can route requests to, and (3) enable comprehensive logging of all endpoint and app configuration changes to detect unauthorized route modifications. Additionally, review existing endpoint configurations for suspicious or conflicting URL paths that may indicate prior compromise or misconfiguration.

Share

CVE-2026-3563 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy