CVE-2026-3277: PowerShell Universal Exposes OIDC Client Secret in Cleartext, Enabling Service Impersonation Risks

Aegiron 10 mins0

CVE-2026-3277

Product: PowerShell Universal
Vendor: Devolutions
Vulnerability Type: Cleartext Storage of Sensitive Information
CWE: CWE-312
CVSS v4.0: 6.8
Severity: Medium
Attack Vector: Local / File System Access Required
Privileges Required: Low (Read Access to Application Files)
User Interaction: Not Required
Exploit Availability: No public weaponized exploit released
Official Patch: https://devolutions.net/security/advisories/DEVO-2026-0006

Overview

CVE-2026-3277 is a security issue affecting PowerShell Universal where an OpenID Connect (OIDC) client secret was stored in cleartext within the .universal/authentication.ps1 configuration file.

The vulnerability does not involve remote code execution, memory corruption, or injection. Instead, sensitive authentication material was improperly stored in plaintext on disk. If read access to the affected file is obtained, the client secret can be extracted and abused.

The issue was corrected in version 2026.1.3, where secure handling of secrets was implemented.

Technical Description

PowerShell Universal supports OpenID Connect (OIDC) integration for authentication. During configuration, an OIDC client ID and client secret are defined.

In vulnerable versions:

  • The OIDC client secret was written directly into: .universal/authentication.ps1
  • The secret was stored as plaintext.
  • No encryption, DPAPI protection, or secure vault storage was used.
  • Any account with file read access could retrieve the secret.

This represents cleartext storage of credentials, which violates secure secret handling practices.

Root Cause

The vulnerability exists because:

  • Sensitive authentication secrets were persisted in a configuration file.
  • The file was not encrypted.
  • File-level permissions were relied upon as the only protection.
  • No secret vault abstraction or secure key storage mechanism was enforced.

If filesystem protections are bypassed or misconfigured, exposure becomes trivial.

Affected Versions

All versions prior to:

PowerShell Universal 2026.1.3

Impact Assessment

If the OIDC client secret is exposed, the following risks arise:

  • Impersonation of the PowerShell Universal application
  • Unauthorized token generation from the Identity Provider (IdP)
  • Abuse of OAuth client credentials grant flow
  • Privilege escalation if the client has elevated scopes
  • API abuse under trusted application identity
  • Lateral movement within federated environments

The severity depends on:

  • The scopes assigned to the OIDC client
  • Trust relationships with APIs
  • Whether the secret has already been rotated
  • Host-level file permissions

Attack Scenario

The following attack chain is possible:

  1. Low-privileged local access is obtained (compromised user, lateral movement, backup access, misconfigured share).
  2. The attacker navigates to the PowerShell Universal data directory.
  3. The .universal/authentication.ps1 file is opened.
  4. The OIDC client secret is extracted.
  5. The secret is used to request OAuth tokens from the Identity Provider.
  6. Tokens are used to access APIs or impersonate the service.

No exploit development is required. Only file read access is necessary.

Proof of Concept (Educational)

No public exploit kit or weaponized PoC has been released.

However, exploitation can be demonstrated in a lab environment:

Step 1: Extract the Secret

Open:

C:\ProgramData\PowerShellUniversal\.universal\authentication.ps1

Locate a line similar to:

$ClientSecret = "super-secret-value"

Copy the secret value.

Step 2: Request Token from Identity Provider

If the OIDC provider supports client credential grant:

curl -X POST https://idp.example.com/oauth/token \
  -d "client_id=<CLIENT_ID>" \
  -d "client_secret=<EXTRACTED_SECRET>" \
  -d "grant_type=client_credentials"

If successful, an access token will be returned.

This demonstrates how the exposed secret can be operationalized.

Exploitability Analysis

  • Remote exploitation: Not possible directly
  • Local exploitation: Possible with file read access
  • Privilege escalation: Possible if token scopes are elevated
  • Automation complexity: Very low
  • Detection difficulty: Moderate (depends on logging maturity)

Indicators of Compromise

There is no malware payload associated with this CVE. Instead, suspicious behavior may include:

  • Unauthorized reads of authentication.ps1
  • Unexpected OAuth token requests
  • Client credential flows outside normal service operations
  • Multiple token grants within short timeframes
  • API calls using service identity from unusual IP addresses

Detection Strategy

1. File Access Monitoring (Windows Security Log)

Enable Object Access auditing for the PowerShell Universal directory.

Monitor Event ID 4663

Detect reads of authentication.ps1:

Splunk Query

index=wineventlog EventCode=4663 
Object_Name="*authentication.ps1*" 
| stats count by Account_Name, Process_Name, Object_Name, ComputerName

Alert when:

  • Account is not the service account
  • Process is not the PowerShell Universal service

2. Sysmon Monitoring

Monitor file access behavior.

Elastic Query

event.code:11 AND file.name:"authentication.ps1"

Flag unexpected processes accessing the file.

3. Identity Provider Log Monitoring

Detect abnormal client credential flows.

Splunk Example

index=idp_logs grant_type=client_credentials 
client_id="<PowerShellUniversalClientID>" 
| stats count by src_ip, user_agent

Alert on:

  • New source IP
  • Unusual time window
  • High frequency token requests

4. Endpoint Detection Query

Search for command-line activity referencing the file:

process.command_line:*authentication.ps1*

Investigate non-administrative access patterns.

Threat Hunting Queries

Hunt for File Copies

file.name:"authentication.ps1" AND NOT file.path:"*PowerShellUniversal*"

This detects exfiltration or duplication.

Hunt for Backup Exposure

Search file servers and storage logs for:

*.universal*
authentication.ps1

MITRE ATT&CK Mapping

  • T1552 – Unsecured Credentials
  • T1552.001 – Credentials in Files
  • T1078 – Valid Accounts
  • T1550 – Use of Valid Tokens

Remediation

Immediate Actions

  1. Upgrade to version 2026.1.3 or later
  2. Rotate OIDC client secret
  3. Review file permissions on:
C:\ProgramData\PowerShellUniversal\
  1. Remove configuration files from shared storage or source repositories
  2. Audit backups for secret exposure

Official Patch

Upgrade instructions and vendor advisory:

https://devolutions.net/security/advisories/DEVO-2026-0006

Hardening Recommendations

  • Enforce least privilege on application directories
  • Enable Windows Object Access auditing
  • Restrict interactive logon on application servers
  • Use managed identity where possible instead of static client secrets
  • Implement secret vault storage (Azure Key Vault, HashiCorp Vault, etc.)
  • Monitor OAuth client credential usage continuously
  • Rotate application secrets periodically

Risk Evaluation Summary

CVE-2026-3277 is not a remote exploit vulnerability. However, in environments where application servers are accessible to multiple administrators, backup operators, or service accounts, the risk becomes significant.

If the OIDC client possesses privileged scopes, the compromise impact increases considerably.

The vulnerability should be treated as a credential exposure issue requiring both patching and secret rotation.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.