CVE-2026-3277 is a vulnerability identified in Devolutions PowerShell Universal versions prior to 2026.1.3, involving the insecure storage of sensitive information. Specifically, the OpenID Connect (OIDC) client secret is stored in cleartext within the .universal/authentication.ps1 script file. This practice violates secure credential storage principles and corresponds to CWE-312 (Cleartext Storage of Sensitive Information). An attacker who gains read access to this script can retrieve the OIDC client secret, which is a critical credential used for authentication with identity providers. The vulnerability requires the attacker to have local file read access, which could be achieved through other means such as compromised user accounts or lateral movement within a network. The CVSS v3.1 score is 5.5 (medium severity), reflecting that the attack vector is local (AV:L), with low complexity (AC:L), no privileges required (PR:N), but user interaction is needed (UI:R). The impact is high on confidentiality (C:H) but does not affect integrity or availability. No known exploits have been reported in the wild, and no patches are explicitly linked, but upgrading to version 2026.1.3 or later is recommended. This vulnerability can lead to unauthorized access to authentication credentials, potentially enabling further compromise of systems relying on OIDC authentication configured via PowerShell Universal.

The primary impact of CVE-2026-3277 is the compromise of confidentiality due to exposure of the OIDC client secret. If an attacker obtains these credentials, they could impersonate legitimate clients in authentication flows, potentially gaining unauthorized access to systems and services protected by OIDC. This could lead to unauthorized data access, privilege escalation, and lateral movement within an organization’s network. Although the vulnerability does not directly affect system integrity or availability, the compromise of authentication credentials can have cascading effects on security posture. Organizations relying on PowerShell Universal for automation, orchestration, or identity federation may face increased risk of breach. The requirement for local file read access limits the scope somewhat, but in environments where multiple users share access or where attackers have already gained footholds, the risk is significant. The lack of known exploits in the wild suggests limited active exploitation currently, but the vulnerability should be addressed promptly to prevent future attacks.

To mitigate CVE-2026-3277, organizations should upgrade Devolutions PowerShell Universal to version 2026.1.3 or later, where the issue is resolved. Until upgrading, restrict access permissions on the .universal/authentication.ps1 script to the minimum necessary users and service accounts, ensuring that unauthorized users cannot read the file. Implement strict file system access controls and audit access to sensitive configuration files. Additionally, consider rotating OIDC client secrets after remediation to invalidate any potentially exposed credentials. Employ network segmentation and least privilege principles to reduce the risk of attackers gaining local file access. Monitor logs for unusual access patterns to authentication files and related services. Finally, educate administrators and users on secure credential management and the risks of storing secrets in cleartext.