Skip to main content

Powershell Universal EUVDEUVD-2026-12637

| CVE-2026-4064 HIGH
Missing Authorization (CWE-862)
2026-03-17 DEVOLUTIONS
8.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:21 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.1.4
EUVD ID Assigned
Mar 17, 2026 - 20:30 euvd
EUVD-2026-12637
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
CVE Published
Mar 17, 2026 - 19:14 nvd
HIGH 8.3

DescriptionCVE.org

Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026.1.4 allows an authenticated user with any valid token to bypass role-based access controls and perform privileged operations - including reading sensitive data, creating or deleting resources, and disrupting service operations - via crafted gRPC requests.

AnalysisAI

PowerShell Universal before version 2026.1.4 contains insufficient authorization validation on gRPC endpoints, allowing any authenticated user to bypass role-based access controls and execute privileged operations. An attacker with valid credentials can exploit this to read sensitive data, modify or delete resources, and disrupt service availability. No patch is currently available.

Technical ContextAI

PowerShell Universal is an automation platform that uses gRPC (Google Remote Procedure Call) for service-to-service communication. The vulnerability stems from CWE-862 (Missing Authorization), where multiple gRPC service endpoints fail to properly validate user permissions beyond basic authentication token verification. The affected product is identified by CPE cpe:2.3:a:devolutions:powershell_universal:*:*:*:*:*:*:*:* and the flaw allows privilege escalation within the application's authorization framework, enabling horizontal and vertical privilege escalation attacks.

RemediationAI

Upgrade PowerShell Universal to version 2026.1.4 or later immediately, as this version contains the necessary authorization checks for the affected gRPC endpoints. The patch is available from Devolutions as detailed in their security advisory at https://devolutions.net/security/advisories/DEVO-2026-0008. Until patching is possible, consider implementing network segmentation to limit access to the gRPC service ports, enable comprehensive logging and monitoring for unauthorized access attempts, and review user permissions to ensure principle of least privilege is enforced at the network layer as a compensating control.

Share

EUVD-2026-12637 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy