PatchSiren cyber security CVE debrief
CVE-2026-46402 microsoft CVE debrief
CVE-2026-46402 is a path traversal vulnerability in Microsoft UFO, an open-source framework for intelligent automation across devices and platforms. In version 3.0.1-4-ge2626659, the framework uses user-controlled `task_name` values directly when constructing session log paths. An authenticated attacker can supply path traversal sequences (e.g., `../`) in the `task_name` parameter, causing UFO to create log directories and files outside the intended `logs/` directory. This could lead to arbitrary file creation on the host filesystem, potentially enabling further compromise or denial of service. The vulnerability requires authentication (PR:L) but is network-accessible (AV:N) with low attack complexity (AC:L). The CVSS 3.1 vector indicates no confidentiality impact (C:N) but high integrity (I:H) and availability (A:H) impacts. The weakness is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path). Microsoft has published a security advisory addressing this issue.
- Vendor
- microsoft
- Product
- UFO
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Microsoft UFO for intelligent automation, particularly those exposing UFO interfaces to multiple authenticated users or hosting UFO on shared infrastructure. Security teams responsible for AI/ML automation frameworks and developers building applications on top of UFO.
Technical summary
The Microsoft UFO framework (v3.0.1-4-ge2626659) fails to sanitize the `task_name` parameter before using it to construct filesystem paths for session logging. The vulnerable code directly interpolates user input into path construction, allowing directory traversal sequences to escape the intended `logs/` directory. An authenticated attacker can exploit this to create arbitrary directories and files on the host filesystem. The vulnerability is remotely exploitable by authenticated users with no user interaction required. Integrity and availability impacts are rated HIGH due to potential for arbitrary file creation and filesystem manipulation.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Microsoft UFO to a patched version addressing GHSA-whcg-fgpx-76f2
- Validate and sanitize all user-supplied input used in file path construction, particularly the task_name parameter
- Implement path canonicalization to ensure resolved paths remain within intended directories
- Apply principle of least privilege to UFO service accounts to limit filesystem impact
- Monitor for anomalous file creation activity outside expected log directories
- Review application logs for suspicious task_name values containing path traversal sequences
Evidence notes
Vulnerability description sourced from NVD record and GitHub Security Advisory GHSA-whcg-fgpx-76f2. CVSS 3.1 score 8.1 (HIGH) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. Affected version: 3.0.1-4-ge2626659. Weaknesses: CWE-22, CWE-73.
Official resources
-
CVE-2026-46402 CVE record
CVE.org
-
CVE-2026-46402 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27