CVE-2026-13437 | Insertion of sensitive information into sent data in the AI … | CVSS 6.5 MEDIUM

Description

Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.

Metadata

CVE ID: CVE-2026-13437
State: PUBLISHED
Assigner: DEVOLUTIONS
Reserved: 2026-06-26 15:34 UTC
Published: 2026-06-29 15:23 UTC
Last updated: 2026-06-29 16:25 UTC
Primary CWE: CWE-201
CWE-201 Insertion of Sensitive Information Into Sent Data
Vendor / Product: Devolutions / PowerShell Universal
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Devolutions	PowerShell Universal	—	2026.2.0

Weakness (CWE)

CWE	Source	Description
CWE-201	cna	CWE-201 Insertion of Sensitive Information Into Sent Data

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (1)

https://devolutions.net/security/advisories/DEVO-2026-0022/