CVE-2026-4064
Published: 17 March 2026
Summary
CVE-2026-4064 is a high-severity Missing Authorization (CWE-862) vulnerability in Ironmansoftware Powershell Universal. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-4064 is a missing authorization vulnerability affecting multiple gRPC service endpoints in PowerShell Universal versions prior to 2026.1.4. Published on 2026-03-17, it stems from CWE-862 (Missing Authorization) and has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). The flaw enables bypassing role-based access controls due to inadequate checks on these endpoints.
An authenticated attacker with any valid token can exploit this vulnerability over the network with low complexity and no user interaction required. By sending crafted gRPC requests, they can perform privileged operations, such as reading sensitive data, creating or deleting resources, and disrupting service operations.
The Devolutions security advisory at https://devolutions.net/security/advisories/DEVO-2026-0008 details mitigation steps and patches for this issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12637
Vulnerability details
Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026.1.4 allows an authenticated user with any valid token to bypass role-based access controls and perform privileged operations — including reading sensitive data, creating or deleting resources, and…
more
disrupting service operations — via crafted gRPC requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on public gRPC endpoints enables remote exploitation of the PowerShell Universal application (T1190) to perform privileged operations including resource management and scripting (T1059.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates enforcement of approved authorizations for access to system resources, directly addressing the missing authorization checks on gRPC endpoints that allow RBAC bypass.
Requires explicit authorization decisions for access to system resources by roles, mitigating the vulnerability where any valid token bypasses role-based controls on privileged operations.
Enforces least privilege by restricting access to only necessary privileges per role, countering the escalation enabled by inadequate checks on gRPC service endpoints.