PatchSiren cyber security CVE debrief
CVE-2026-54568 microsoft CVE debrief
The CVE record was published on 2026-07-16T16:19:13.220Z and has not been modified since then. This vulnerability affects Microsoft UFO open-source framework versions 3.0.0 through 3.0.6. A client connected to the UFO WebSocket server as a DEVICE could call DEVICE_INFO_REQUEST with another device's target_id and receive that device's server-side system_info due to missing role and object-level authorization in handle_device_info_request and get_device_info. This issue is fixed in version 3.0.6. The vulnerability has a CVSS score of 4.3 and is classified as MEDIUM severity.
- Vendor
- microsoft
- Product
- UFO
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Microsoft UFO open-source framework versions 3.0.0 through 3.0.6 should review and apply the fix. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess exposure and apply mitigations.
Technical summary
A client connected to the UFO WebSocket server as a DEVICE could call DEVICE_INFO_REQUEST with another device's target_id and receive that device's server-side system_info due to missing role and object-level authorization in handle_device_info_request and get_device_info. This issue is fixed in version 3.0.6. The vulnerability has a CVSS score of 4.3 and is classified as MEDIUM severity. Users of Microsoft UFO open-source framework versions 3.0.0 through 3.0.6 should review and apply the fix.
Defensive priority
Medium priority due to CVSS score of 4.3 and potential for unauthorized information disclosure.
Recommended defensive actions
- Review and apply the fix in version 3.0.6
- Restrict access to the UFO WebSocket server
- Monitor for suspicious DEVICE_INFO_REQUEST calls
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
Evidence from official CVE and NVD records, as well as GitHub security advisories. The issue involves a client connected to the UFO WebSocket server as a DEVICE calling DEVICE_INFO_REQUEST with another device's target_id and receiving that device's server-side system_info due to missing role and object-level authorization in handle_device_info_request and get_device_info. This issue is fixed in version 3.0.6. Evidence limits suggest that affected deployments should be reviewed for exposure and patched or mitigated accordingly. Defenders should verify system_info access controls and monitor for suspicious DEVICE_INFO_REQUEST calls.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T16:19:13.220Z and has not been modified since then.