What happened
Devolutions PowerShell Universal 2026.2.0 serializes App Tokens in plaintext inside AI Agent job API responses. An authenticated user with only 'AI Agent read' access can call the job API and extract App Tokens belonging to higher-privileged identities. These tokens are reusable and may carry significantly elevated permissions, enabling privilege escalation from AI Agent reader to broader platform administrator.
Why it matters
PowerShell Universal is used by enterprises to build and automate IT workflows, including AI Agent integrations. The plaintext token leakage means that an attacker with minimal AI Agent read access can escalate to full platform control by harvesting reusable admin-level tokens from job API responses, then using those tokens to modify scripts, environments, schedules, and security settings.
Attack vector
Authenticated user with 'AI Agent read' access calls the AI Agent job API endpoint; the response contains serialized App Tokens in plaintext that belong to higher-privileged identities. Attacker reuses the harvested tokens for privilege escalation.
Affected systems
Devolutions PowerShell Universal 2026.2.0
Mitigation
Apply vendor patch per Devolutions advisory DEVO-2026-0022: https://devolutions.net/security/advisories/DEVO-2026-0022/