CVE-2026-8694 PUBLISHED

Improper access control on the API documentation endpoint in PowerShell Universal

Assigner: DEVOLUTIONS
Reserved: 15.05.2026 Published: 12.06.2026 Updated: 12.06.2026

Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints.

Product Status

Vendor	Devolutions
Product	PowerShell Universal
Versions	Default: unaffected affected from 0 to 2026.1.7 (incl.)

References

DEVO-2026-0016

Problem Types

CWE-306 Missing Authentication for Critical Function CWE