CVE Catalog

CVE-2026-13437

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

In Devolutions PowerShell Universal 2026.2.0, a vulnerability was found involving the insertion of sensitive information into sent data in the AI Agent job API. An authenticated user with AI Agent read access can obtain reusable authentication tokens with potentially higher privileges, which are serialized in plaintext in job API responses.

Risk Assessment

The risk involves potential privilege escalation by an attacker who can intercept authentication tokens and gain unauthorized access to resources with higher privileges, potentially leading to confidentiality and integrity breaches.

Recommendation

It is recommended to immediately update Devolutions PowerShell Universal to a version newer than 2026.2.0 that fixes this vulnerability. Additionally, restrict access to the AI Agent API to trusted users only and monitor logs for suspicious activities.

Original NVD description (English source)

Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS