CVE-2026-3277 identifies a security vulnerability in Devolutions PowerShell Universal versions prior to 2026.1.3, specifically related to the OpenID Connect (OIDC) authentication configuration. The vulnerability involves the storage of the OIDC client secret in cleartext within the .universal/authentication.ps1 script file. This secret is a critical credential used to authenticate the application with the OIDC provider. Storing it in plaintext violates secure credential management best practices and exposes the secret to any entity with read access to the file system location. An attacker who gains read access to this script can extract the client secret, potentially allowing them to impersonate the application or escalate privileges within the authentication framework. The vulnerability is classified under CWE-312, which concerns cleartext storage of sensitive information. Although no public exploits have been reported, the risk is non-trivial because the client secret is a high-value target for attackers aiming to compromise authentication mechanisms. The vulnerability does not require user interaction but does require the attacker to have read access to the file system where the script resides, which may be possible through other attack vectors such as compromised credentials, insider threats, or misconfigured permissions. The lack of a CVSS score suggests this is a newly disclosed issue, but the impact on confidentiality and potential for privilege escalation justify a high severity rating. The vulnerability affects all deployments of PowerShell Universal prior to version 2026.1.3 that use OIDC authentication and do not have additional compensating controls in place.

The primary impact of CVE-2026-3277 is the compromise of confidentiality of the OIDC client secret, which is a sensitive credential used in authentication flows. If an attacker obtains this secret, they can potentially impersonate the affected application to the OIDC provider, bypass authentication controls, and gain unauthorized access to protected resources. This can lead to unauthorized data access, privilege escalation, and lateral movement within an organization's network. The vulnerability could also undermine trust in the authentication infrastructure, leading to broader security implications. Organizations relying on PowerShell Universal for automation, orchestration, or administrative tasks that integrate with OIDC providers are at risk of having their authentication mechanisms compromised. The ease of exploitation depends on the attacker's ability to read the .universal/authentication.ps1 file, which may be facilitated by weak file permissions, insider threats, or other vulnerabilities. While no exploits are currently known in the wild, the vulnerability presents a significant risk if combined with other attack vectors. The scope includes all affected versions globally, impacting any organization using the vulnerable software with OIDC authentication enabled.

To mitigate CVE-2026-3277, organizations should immediately upgrade Devolutions PowerShell Universal to version 2026.1.3 or later, where this vulnerability has been addressed. Until the upgrade is applied, organizations should enforce strict file system permissions on the .universal/authentication.ps1 script to restrict read access only to trusted administrative users and service accounts. Implementing robust access control policies and monitoring file access logs can help detect unauthorized attempts to read sensitive files. Additionally, consider rotating the OIDC client secret after remediation to invalidate any potentially compromised credentials. Employing secrets management solutions that securely store and inject credentials at runtime can prevent cleartext storage in scripts. Regularly audit and review authentication configurations and secrets storage practices to ensure compliance with security best practices. Finally, conduct security awareness training to reduce insider threats and ensure that only authorized personnel have access to sensitive configuration files.