PatchSiren cyber security CVE debrief
CVE-2026-46414 microsoft CVE debrief
Microsoft UFO is an open-source framework for intelligent automation across devices and platforms. In version 3.0.1-4-ge2626659, the WebSocket control plane contains an authenticated role/identity spoofing vulnerability that enables peer task hijacking. The server trusts client-supplied identity and role fields in TASK messages rather than enforcing the role registered for that WebSocket connection. An authenticated client with the shared server token can register as a normal device, then send a TASK message with client_type=constellation and a victim device target_id to spoof higher-privilege constellation role and dispatch attacker-controlled tasks to other connected devices. Additionally, the client registry permits duplicate client_id registration, allowing an attacker to overwrite an existing live client's stored WebSocket, role, and task protocol. This represents a failure to properly authenticate and authorize role claims (CWE-290, CWE-862) and an authorization bypass through user-controlled key (CWE-639). The vulnerability was published on 2026-05-27 with a CVSS 3.1 score of 8.8 (HIGH).
- Vendor
- microsoft
- Product
- UFO
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Microsoft UFO 3.0.1-4-ge2626659 or earlier for cross-device intelligent automation; security teams managing UFO control plane deployments; developers integrating UFO WebSocket APIs; incident responders investigating anomalous task dispatches in UFO environments
Technical summary
The Microsoft UFO framework's WebSocket control plane fails to bind role authentication to session state. When a client connects and authenticates with a shared server token, the server stores the client's registered role (e.g., normal device). However, when processing TASK messages, the server reads client_type and target_id directly from the message payload without verifying these match the connection's registered role. This allows any authenticated client to escalate privileges by claiming constellation role in task messages and targeting arbitrary victim devices. The duplicate client_id registration weakness compounds this by allowing attackers to hijack existing legitimate sessions. The vulnerability is network-exploitable with low attack complexity, requiring only valid authentication credentials.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Microsoft UFO to a version containing the security fix for GHSA-qgx6-cvhg-jw7p
- Review WebSocket authentication implementation to enforce role binding at connection registration rather than trusting wire message claims
- Implement server-side validation that rejects TASK messages with client_type or target_id values that do not match the authenticated session's registered role and identity
- Add protections against duplicate client_id registration to prevent client session takeover
- Audit WebSocket access logs for anomalous client_type changes or cross-device task dispatches from non-constellation registered connections
- Rotate shared server tokens if compromise is suspected
- Segment UFO control plane networks to limit lateral movement if authentication bypass occurs
Evidence notes
Vulnerability description and CVSS vector sourced from NVD record and GitHub Security Advisory GHSA-qgx6-cvhg-jw7p. CWE classifications (CWE-290, CWE-639, CWE-862) confirmed in source metadata. Affected version 3.0.1-4-ge2626659 explicitly identified in CVE description.
Official resources
-
CVE-2026-46414 CVE record
CVE.org
-
CVE-2026-46414 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27