Description
Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user with AI Agent read access to Devolutions PowerShell Universal can retrieve reusable authentication tokens that are serialized in plaintext by the AI Agent job API. The flaw exposes token material that could be used for higher‑privileged access. This is a classic information exposure weakness classified under CWE‑201.

Affected Systems

The vulnerability affects Devolutions PowerShell Universal version 2026.2.0. Systems running this library with AI Agent services exposed should be examined for the presence of the affected API endpoints.

Risk and Exploitability

The attack surface is limited to internal users or services that authenticate and possess AI Agent read permissions; it does not allow arbitrary remote code execution. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits so far. Nonetheless, the exposure of authentication tokens presents a high confidentiality risk and should be treated with urgent priority.

Generated by OpenCVE AI on June 29, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website or advisory for any patch or update that addresses the plaintext token serialization
  • Limit AI Agent read permissions to a minimal set of authorized users and services
  • Audit and monitor API responses for exposed tokens, and rotate tokens promptly if leakage is detected

Generated by OpenCVE AI on June 29, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Sensitive Authentication Token Exposure in Devolutions PowerShell Universal AI Agent Job API

Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.
Weaknesses CWE-201
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-06-29T16:25:22.355Z

Reserved: 2026-06-26T15:34:21.331Z

Link: CVE-2026-13437

cve-icon Vulnrichment

Updated: 2026-06-29T16:25:12.477Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:00:06Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data