PatchSiren cyber security CVE debrief
CVE-2026-46544 microsoft CVE debrief
Microsoft UFO is an open-source framework for intelligent automation across devices and platforms. In versions up to and including 3.0.1-4-ge2626659, the framework's WebSocket server accepts client-supplied session_id values in task messages and reuses existing in-memory session objects when a matching session_id is found. If a prior session has completed and remains in memory with populated results, a different authenticated client can send a new TASK message using the same session_id. The server then re-enters the existing session object and transmits the stale stored result to the new requester through the normal send_task_end() callback path. This constitutes an authenticated cross-client stale result replay vulnerability. Exploitation requires that the attacker knows or can predict a live or recently completed session_id. The vulnerability was published on 2026-05-27 and last modified on 2026-05-28.
- Vendor
- microsoft
- Product
- UFO
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
Organizations running Microsoft UFO automation framework instances, particularly those exposing WebSocket endpoints to multiple authenticated clients or operating in multi-tenant configurations. Security teams responsible for open-source supply chain risk management and developers integrating UFO into automation pipelines.
Technical summary
The Microsoft UFO framework's WebSocket server implementation fails to properly isolate session state between authenticated clients. When a TASK message is received, the server extracts the session_id provided by the client and checks for an existing session object in memory. If found, the server reuses this session object regardless of whether the requesting client matches the original session owner. This design allows a second authenticated client to retrieve results from a completed session by supplying the same session_id. The vulnerability is contingent on the attacker obtaining knowledge of a valid session_id, which may be achievable through prediction, observation, or other means given the client-supplied nature of the identifier. The attack complexity is rated as high due to these prerequisites.
Defensive priority
medium
Recommended defensive actions
- Upgrade Microsoft UFO to a version newer than 3.0.1-4-ge2626659 that properly validates or regenerates session identifiers to prevent cross-client session reuse.
- Implement server-side session_id generation rather than accepting client-supplied values for session identification.
- Configure session object lifecycle management to ensure completed sessions are promptly cleared from memory and cannot be re-entered by subsequent requests.
- Monitor WebSocket task message patterns for anomalous session_id reuse attempts that may indicate exploitation attempts.
- Review authentication boundaries to ensure that session results are strictly bound to the original authenticated client and not transferable across different client contexts.
Evidence notes
The vulnerability description is sourced from the official CVE record and NVD entry. The affected product is Microsoft UFO, an open-source automation framework. The specific affected version is 3.0.1-4-ge2626659. The CVSS 3.1 vector is AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. The weakness is classified as CWE-639: Authorization Bypass Through User-Controlled Key.
Official resources
-
CVE-2026-46544 CVE record
CVE.org
-
CVE-2026-46544 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27T23:16:48.247Z