PatchSiren cyber security CVE debrief
CVE-2026-46538 microsoft CVE debrief
Microsoft UFO is an open-source framework for intelligent automation across devices and platforms. In version 3.0.1-4-ge2626659, the constellation client tracks pending task responses by session_id only and does not verify that a TASK_END message originated from the device that originally received the task. When the constellation sends a task to a target device, it records a pending Future under a session key. While the pending task record stores the expected device ID, the completion path ignores this binding. An authenticated peer device can send a forged TASK_END message with the same session_id, causing the constellation to accept the response and complete the victim device's pending Future with attacker-controlled result data. This constitutes an authenticated cross-device task-result injection vulnerability.
- Vendor
- microsoft
- Product
- UFO
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
Organizations deploying Microsoft UFO for cross-device automation, particularly those with multi-tenant or multi-user device environments where peer devices may have different trust levels or compromise boundaries.
Technical summary
The vulnerability exists in the constellation client's task completion handling. When a task is dispatched to a target device, the client creates a pending Future indexed by session_id. The stored pending record includes the expected device ID, but the completion handler does not validate that the incoming TASK_END message's device ID matches this expectation. An attacker with valid credentials on a peer device can intercept or predict session_id values and submit forged TASK_END messages. The constellation client will match the session_id, complete the Future, and propagate attacker-controlled data as the task result. This breaks the integrity guarantee of task execution without requiring compromise of the target device.
Defensive priority
MEDIUM
Recommended defensive actions
- Review Microsoft UFO GitHub Security Advisory GHSA-wmq2-74rj-7pjc for detailed technical information and remediation guidance
- Upgrade Microsoft UFO to a version containing the security fix for CVE-2026-46538
- Audit constellation client implementations for custom modifications that may replicate the vulnerable session_id-only tracking pattern
- Implement additional verification in task completion handlers to validate that TASK_END messages originate from the expected device ID
- Monitor for anomalous task completion patterns that may indicate exploitation attempts
- Review access controls to limit which authenticated devices can communicate with the constellation client
Evidence notes
The vulnerability was disclosed via GitHub Security Advisory GHSA-wmq2-74rj-7pjc and subsequently published in the NVD. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L) indicates network attack vector with high attack complexity, low privileges required, no user interaction, and high impact to integrity with low availability impact. CWE-294 (Authentication Bypass by Capture-replay) and CWE-345 (Insufficient Verification of Data Authenticity) are identified as relevant weakness classifications.
Official resources
-
CVE-2026-46538 CVE record
CVE.org
-
CVE-2026-46538 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27