CVE-2026-13437
Received Received - Intake

Sensitive Information Exposure in Devolutions PowerShell Universal AI Agent Job API

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: Devolutions Inc.

Description
Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13437
EUVD
EUVD-2026-40127

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
devolutions powershell_universal 2026.2.0
devolutions powershell_universal to 2026.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability involves the disclosure of sensitive authentication tokens in plaintext, which could lead to unauthorized access to higher-privileged credentials.

Such exposure of sensitive information may negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive authentication data and preventing unauthorized access.

Organizations using the affected software should consider this risk in their compliance assessments and apply the recommended mitigation by upgrading to version 2026.2.1 or higher.

Executive Summary

This vulnerability, identified as CVE-2026-13437, occurs in Devolutions PowerShell Universal version 2026.2.0. It involves the insertion of sensitive authentication tokens into the AI Agent job API responses. Specifically, an authenticated user with AI Agent read access can obtain these tokens, which are serialized in plaintext. These tokens may have higher privileges and can be reused, potentially allowing unauthorized actions.

Impact Analysis

The impact of this vulnerability is significant because it allows an authenticated user with limited AI Agent read access to retrieve reusable authentication tokens that may have higher privileges. This can lead to unauthorized access or actions within the system, increasing the risk of data breaches or misuse of system resources.

Mitigation Strategies

To mitigate the vulnerability in Devolutions PowerShell Universal 2026.2.0, users should upgrade to version 2026.2.1 or higher.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13437. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart