CVE-2026-8694

MEDIUM

Improper access control on the API documentation endpoint in PowerShell Universal

Title source: cna

Description

Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.

References (1)

Core 1

Core References

DEVO-2026-0016

https://devolutions.net/security/advisories/DEVO-2026-0016/

Scores

CVSS v3 5.3

EPSS 0.0022

EPSS Percentile 12.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (2)

Devolutions/PowerShell Universal < 2026.1.7

ironmansoftware/powershell_universal < 2026.1.7

Published Jun 12, 2026

Tracked Since Jun 12, 2026