Description
Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to retrieve the OpenAPI specification for user‑defined REST endpoints. The flaw, classified as CWE‑306, results in information disclosure of detailed endpoint definitions that could help an attacker understand the application’s structure.

Affected Systems

Devolutions PowerShell Universal version 2026.1.7 and all earlier releases are affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity level for this vulnerability. The EPSS score is not available and the vulnerability is not listed in CISA KEV, indicating limited public exploitation data. However, the flaw permits unauthenticated HTTP access to the full API definition via the /openapi endpoint, meaning a simple request can expose the specification. The risk stems from the breadth of information disclosed, though no direct data exfiltration or code execution is enabled by this flaw.

Generated by OpenCVE AI on June 12, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devolutions PowerShell Universal to a version newer than 2026.1.7 where the OpenAPI endpoint requires authentication.
  • Configure network or proxy controls to block unauthenticated requests to the /openapi endpoint, restricting access to trusted IP ranges or VPN connections.
  • Check the Devolutions website for any vendor‑issued patches or updates and apply them as soon as they become available.

Generated by OpenCVE AI on June 12, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Devolutions
Devolutions powershell Universal
Vendors & Products Devolutions
Devolutions powershell Universal

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.
Title Improper access control on the API documentation endpoint in PowerShell Universal
Weaknesses CWE-306
References

Subscriptions

Devolutions Powershell Universal
cve-icon MITRE

Status: PUBLISHED

Assigner: DEVOLUTIONS

Published:

Updated: 2026-06-12T15:17:07.858Z

Reserved: 2026-05-15T15:10:55.558Z

Link: CVE-2026-8694

cve-icon Vulnrichment

Updated: 2026-06-12T15:16:54.748Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T15:16:32.430

Modified: 2026-06-12T16:16:34.547

Link: CVE-2026-8694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T18:00:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function