Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper input validation in the apps and endpoints configuration in PowerShell Universal before 2026.1.4 allows an authenticated user with permissions to create or modify Apps or Endpoints to override existing application or system routes, resulting in unintended request routing and denial of service via a conflicting URL path.
AnalysisAI
PowerShell Universal versions before 2026.1.4 contain an improper input validation vulnerability in the apps and endpoints configuration system that allows authenticated users with creation or modification permissions to inject malicious URL paths that override existing application or system routes. This vulnerability can result in unintended request routing where legitimate traffic is redirected to attacker-controlled endpoints, as well as denial of service conditions through route conflicts. The vulnerability requires high-level authentication privileges (PR:H) but has been formally documented in the ENISA EUVD database (EUVD-2026-12636) and poses a real risk to multi-tenant PowerShell Universal deployments where administrative controls may not be strictly enforced.
Technical ContextAI
PowerShell Universal (CPE: cpe:2.3:a:devolutions:powershell_universal:*:*:*:*:*:*:*:*) is a web-based framework for managing PowerShell automation endpoints and web applications. The vulnerability stems from CWE-1289 (Improper Validation of Specified Quantity in Input), which relates to the framework's failure to properly validate URL path inputs when administrators or authorized users configure new applications and endpoints. The affected versions (2026.1.0 through 2026.1.3) do not implement sufficient sanitization or collision detection when processing route definitions, allowing an authenticated attacker to craft malicious endpoint configurations that conflict with or override legitimate routing rules. This is a resource management and access control weakness in the configuration layer that permits path traversal-adjacent attacks and route hijacking within the PowerShell Universal routing engine.
RemediationAI
Upgrade PowerShell Universal to version 2026.1.4 or later immediately, as this version includes input validation fixes that prevent route override attacks. Consult the Devolutions security advisory at https://devolutions.net/security/advisories/DEVO-2026-0008 for detailed upgrade procedures and version compatibility notes. Pending patching, implement the following compensating controls: (1) audit and restrict endpoint creation permissions to a minimal set of trusted administrators, (2) implement network-level segmentation to limit which internal services PowerShell Universal can route requests to, and (3) enable comprehensive logging of all endpoint and app configuration changes to detect unauthorized route modifications. Additionally, review existing endpoint configurations for suspicious or conflicting URL paths that may indicate prior compromise or misconfiguration.
More in Powershell Universal
View allThe API endpoints in Ironman PowerShell Universal 3.0.0 through 4.2.0 allow remote attackers to execute arbitrary comman
Escalation of privileges in the Web Server in Ironman Software PowerShell Universal 2.x and 3.x allows an attacker with
PowerShell Universal before version 2026.1.4 contains insufficient authorization validation on gRPC endpoints, allowing
The Web Server in Ironman Software PowerShell Universal v3.x and v2.x allows for directory traversal outside of the conf
Devolutions PowerShell Universal 2026.2.0 leaks serialized App Tokens in plaintext within AI Agent job API responses, en
authentication configuration in PowerShell Universal versions up to 2026.1.3 is affected by cleartext storage of sensit
PowerShell Universal versions before 4.5.6 and 5.6.13 contain a stored cross-site scripting vulnerability that allows un
Unauthenticated remote access to user-defined REST endpoint OpenAPI specifications is possible in Devolutions PowerShell
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12636