CVE-2026-3277 PUBLISHED

Assigner: DEVOLUTIONS
Reserved: 26.02.2026 Published: 27.02.2026 Updated: 27.02.2026

The OpenID Connect (OIDC) authentication configuration in PowerShell Universal before 2026.1.3 stores the OIDC client secret in cleartext in the .universal/authentication.ps1 script, which allows an attacker with read access to that file to obtain the OIDC client credentials

Product Status

Vendor	Devolutions
Product	PowerShell Universal
Versions	Default: unaffected affected from 0 to 2026.1.3 (excl.)

References

https://devolutions.net/security/advisories/DEVO-2026-0006

Problem Types

CWE-312 Cleartext Storage of Sensitive Information CWE