CVE-2026-8694

Vulnerability

An improper access control vulnerability exists in Devolutions PowerShell Universal versions 2026.1.7 and earlier [1]. The flaw allows an unauthenticated remote attacker to retrieve the OpenAPI specification of user-defined REST endpoints [1]. No authentication or special privileges are required to exploit this issue [1].

Exploitation

An unauthenticated attacker with network access to a vulnerable PowerShell Universal instance can request the OpenAPI specification for user-defined REST endpoints. The attacker does not need prior authentication or any other form of access [1]. The exact endpoint used to obtain the specification is not disclosed in the available references, but the advisory confirms that the operation is unauthenticated [1].

Impact

Successful exploitation discloses the OpenAPI specification of user-defined REST endpoints [1]. The OpenAPI specification may contain details about the API structure, parameters, request/response formats, and potentially sensitive information such as endpoint functionality or internal system details, aiding further attacks [1]. The disclosure does not directly lead to code execution or privilege escalation, but it increases the attack surface by providing an attacker with a detailed blueprint of the exposed API [1].

Mitigation

Devolutions has not yet released a patched version for PowerShell Universal as of the advisory publication date [1]. Users are advised to monitor the Devolutions security advisory page for updates and apply a fix once available. Restricting network access to the PowerShell Universal service and using firewall rules to limit exposure may reduce the risk [1].