CVE-2026-8694
Awaiting Analysis Awaiting Analysis - Queue
Improper Access Control in Devolutions PowerShell Universal

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: Devolutions Inc.

Description
Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-8694
EUVD
EUVD-2026-36438
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devolutions powershell_universal to 2026.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an improper access control issue in Devolutions PowerShell Universal versions 2026.1.7 and earlier. It allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints by accessing the API documentation endpoint.

Impact Analysis

The impact of this vulnerability is that an unauthenticated attacker can remotely access detailed API documentation, specifically the OpenAPI specification of user-defined REST endpoints. This exposure can potentially reveal sensitive information about the API structure and endpoints, which could be leveraged for further attacks or exploitation.

Detection Guidance

This vulnerability can be detected by attempting to access the OpenAPI specification of user-defined REST endpoints through the API documentation endpoint without authentication.

A possible method to detect this on your network or system is to send an unauthenticated HTTP request to the API documentation endpoint and check if the OpenAPI specification is returned.

  • Use a command like: curl http://<target-server>/api-docs or the specific API documentation endpoint URL to see if the OpenAPI specification is accessible without authentication.
Mitigation Strategies

The immediate recommended step to mitigate this vulnerability is to upgrade Devolutions PowerShell Universal to version 2026.2.0 or higher.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8694. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart