Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
6DescriptionCVE.org
Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026.1.4 allows an authenticated user with any valid token to bypass role-based access controls and perform privileged operations - including reading sensitive data, creating or deleting resources, and disrupting service operations - via crafted gRPC requests.
AnalysisAI
PowerShell Universal before version 2026.1.4 contains insufficient authorization validation on gRPC endpoints, allowing any authenticated user to bypass role-based access controls and execute privileged operations. An attacker with valid credentials can exploit this to read sensitive data, modify or delete resources, and disrupt service availability. No patch is currently available.
Technical ContextAI
PowerShell Universal is an automation platform that uses gRPC (Google Remote Procedure Call) for service-to-service communication. The vulnerability stems from CWE-862 (Missing Authorization), where multiple gRPC service endpoints fail to properly validate user permissions beyond basic authentication token verification. The affected product is identified by CPE cpe:2.3:a:devolutions:powershell_universal:*:*:*:*:*:*:*:* and the flaw allows privilege escalation within the application's authorization framework, enabling horizontal and vertical privilege escalation attacks.
RemediationAI
Upgrade PowerShell Universal to version 2026.1.4 or later immediately, as this version contains the necessary authorization checks for the affected gRPC endpoints. The patch is available from Devolutions as detailed in their security advisory at https://devolutions.net/security/advisories/DEVO-2026-0008. Until patching is possible, consider implementing network segmentation to limit access to the gRPC service ports, enable comprehensive logging and monitoring for unauthorized access attempts, and review user permissions to ensure principle of least privilege is enforced at the network layer as a compensating control.
More in Powershell Universal
View allThe API endpoints in Ironman PowerShell Universal 3.0.0 through 4.2.0 allow remote attackers to execute arbitrary comman
Escalation of privileges in the Web Server in Ironman Software PowerShell Universal 2.x and 3.x allows an attacker with
The Web Server in Ironman Software PowerShell Universal v3.x and v2.x allows for directory traversal outside of the conf
Devolutions PowerShell Universal 2026.2.0 leaks serialized App Tokens in plaintext within AI Agent job API responses, en
authentication configuration in PowerShell Universal versions up to 2026.1.3 is affected by cleartext storage of sensit
PowerShell Universal versions before 4.5.6 and 5.6.13 contain a stored cross-site scripting vulnerability that allows un
PowerShell Universal versions before 2026.1.4 contain an improper input validation vulnerability in the apps and endpoin
Unauthenticated remote access to user-defined REST endpoint OpenAPI specifications is possible in Devolutions PowerShell
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12637