PatchSiren cyber security CVE debrief
CVE-2026-46416 microsoft CVE debrief
A shared-instance design flaw in Microsoft UFO's WebSocket handler (versions through 3.0.1-4-ge2626659) causes authenticated session response leakage. The UFOWebSocketHandler class is instantiated once and reused across multiple WebSocket connections, storing per-connection protocol objects in mutable instance fields. Each new connection overwrites these fields, causing message handlers to dispatch responses through the shared state rather than connection-bound protocol objects. Consequently, the most recently connected authenticated client may receive protocol responses intended for another authenticated client. The vulnerability was published on 2026-05-27 with a CVSS 3.1 score of 6.3 (MEDIUM).
- Vendor
- microsoft
- Product
- UFO
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
Organizations deploying Microsoft UFO for cross-platform intelligent automation, particularly those exposing WebSocket endpoints to multiple concurrent authenticated users or automated agents. Security teams monitoring for session management flaws in Python-based WebSocket implementations. Developers maintaining forked or customized versions of the UFO framework.
Technical summary
The vulnerability stems from architectural state management in Microsoft UFO's WebSocket implementation. The UFOWebSocketHandler class follows a singleton-like pattern where a single instance serves multiple concurrent connections. Per-connection protocol objects are stored as mutable instance fields (self.protocol or equivalent). When a new WebSocket connection is established, these fields are overwritten with the new connection's protocol object. Message handlers subsequently reference these shared fields to dispatch responses, rather than maintaining a mapping of connection identifiers to protocol objects. This design violates the principle of connection-scoped state isolation, enabling a race condition where the most recent connection's protocol object receives responses intended for prior connections. The attack requires authenticated access (PR:L) but no user interaction (UI:N), with network-based exploitation (AV:N) and low complexity (AC:L). Impact spans confidentiality, integrity, and availability (C:L/I:L/A:L) due to potential cross-session command injection or data exfiltration in an automation framework context.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade Microsoft UFO to a version beyond 3.0.1-4-ge2626659 that addresses the shared-instance state management flaw
- Review WebSocket handler implementations for singleton or shared-instance patterns that store per-connection state in mutable instance fields
- Implement connection-scoped protocol object storage to prevent cross-session response routing
- Monitor WebSocket traffic for anomalous response delivery patterns indicative of session state confusion
- Apply principle of least privilege to WebSocket authentication to limit blast radius of potential session confusion attacks
Evidence notes
The vulnerability description and affected version (3.0.1-4-ge2626659) are drawn from the official CVE record. The root cause—shared mutable instance fields in UFOWebSocketHandler overwriting per-connection state—is explicitly documented in the CVE description. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L confirms network attack vector with low attack complexity and authenticated low-privilege access required. CWE-284 (Improper Access Control) and CWE-488 (Exposure of Data Element to Wrong Session) are cited as primary weaknesses.
Official resources
-
CVE-2026-46416 CVE record
CVE.org
-
CVE-2026-46416 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27