Skip to main content

PowerShell Universal EUVDEUVD-2026-36438

| CVE-2026-8694 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-06-12 DEVOLUTIONS GHSA-23xj-gqpq-c6g6
5.3
CVSS 3.1 · Vendor: DEVOLUTIONS
Share

Severity by source

Vendor (DEVOLUTIONS) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Information disclosure of OpenAPI spec maps to C:L, not I:L; no modification or availability impact applies; PR:N confirmed by unauthenticated description.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (DEVOLUTIONS).

CVSS VectorVendor: DEVOLUTIONS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 12, 2026 - 16:50 vuln.today
CVSS changed
Jun 12, 2026 - 16:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 12, 2026 - 14:11 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.

AnalysisAI

Unauthenticated remote access to user-defined REST endpoint OpenAPI specifications is possible in Devolutions PowerShell Universal 2026.1.7 and earlier due to improper access control (CWE-306). Any network-reachable attacker without credentials can retrieve the full OpenAPI specification of internally defined REST APIs, exposing endpoint paths, parameters, and operational structure that administrators intended to be non-public. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, but the low-complexity, zero-authentication network vector makes enumeration trivially automatable.

Technical ContextAI

PowerShell Universal, developed by Devolutions, is a platform for building and hosting REST APIs, dashboards, and automation scripts using PowerShell. It exposes an OpenAPI specification layer for user-defined REST endpoints - functionality intended for authenticated internal consumers. CWE-306 (Missing Authentication for Critical Function) identifies the root cause: the endpoint serving the OpenAPI schema for user-defined APIs does not enforce authentication, allowing any caller to retrieve the full interface contract. The CPE string cpe:2.3:a:devolutions:powershell_universal:*:*:*:*:*:*:*:* indicates all editions and platforms of the product are affected through version 2026.1.7. OpenAPI specifications can reveal internal route naming conventions, expected parameter types, authentication schemes referenced in endpoint definitions, and operational logic inferences - all useful for pre-attack reconnaissance.

RemediationAI

Apply the vendor-released patch per Devolutions security advisory DEVO-2026-0016, available at https://devolutions.net/security/advisories/DEVO-2026-0016/. The specific fixed release version was not included in the available intelligence; consult the advisory directly to confirm the minimum safe version beyond 2026.1.7. As a compensating control for environments that cannot patch immediately, restrict network access to the PowerShell Universal instance using firewall rules or a reverse proxy that enforces authentication at the perimeter before requests reach the OpenAPI specification endpoints - this reduces exposure without modifying the application, but requires infrastructure changes. Alternatively, if PowerShell Universal's API gateway supports route-level authentication middleware, verify that the OpenAPI spec endpoint is explicitly included in protected routes rather than excluded by default. Do not rely on obscurity of endpoint paths alone, as that defense is eliminated by this vulnerability.

Share

EUVD-2026-36438 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy