VYPR
← All advisories
High severity7.8NVD Advisory· Published May 27, 2026

CVE-2026-45322

CVE-2026-45322

Description

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.run_shell() passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. The same shell-execution behavior is also reachable through ShellReceiver.execute_command(). The shell receiver is invoked by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters to the shell receiver. Because UFO stores planned and executed actions in per-session JSON records, an attacker who can write or modify a session/action JSON file can plant a shell action. When the session is resumed or replayed, UFO executes the attacker's command as the UFO process user.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Microsoft UFO v3.0.0 and earlier allow OS command injection when replaying stored shell actions via `subprocess.Popen` with `shell=True`.

Vulnerability

Microsoft UFO open-source framework for intelligent automation versions up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path [1]. The ShellReceiver.run_shell() method passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe, as seen in ufo/automator/app_apis/shell/shell_client.py [1]. The same behavior is reachable through ShellReceiver.execute_command(). The shell receiver is invoked by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters to the shell receiver [1]. An attacker who can write or modify a session/action JSON file can plant a shell action; when the session is resumed or replayed, UFO executes the attacker's command as the UFO process user [1].

Exploitation

An attacker needs the ability to write or modify a stored UFO session/action JSON file [1]. The attacker plants a malicious shell action with an arbitrary command string using PowerShell syntax or shell metacharacters. When the session is resumed or replayed, the stored JSON is read by RunShellCommand.execute() or ExecuteCommand.execute(), which forwards the parameters to ShellReceiver.run_shell() [1]. The method passes the command directly to subprocess.Popen(command, shell=True, executable=powershell.exe) [1]. Because shell=True is used, PowerShell interprets the injected metacharacters, resulting in OS command execution [1]. No user interaction beyond the attacker-controlled write is required for successful exploitation [1].

Impact

On successful exploitation, the attacker achieves arbitrary OS command execution with the privileges of the UFO process user [1]. This can lead to full information disclosure, modification, or deletion of data, installation of malicious software, or escalation of privileges depending on the process context [1]. The scope of compromise is limited to the security context of the UFO process user, but the attacker gains the ability to execute any PowerShell command [1].

Mitigation

The issue was silently hardened on the main branch around 2026-03-25 by removing shell=True and using an explicit argument list, but no patched tagged release has been published [1]. The latest tagged release, v3.0.0, remains affected [1]. As of the publication date (2026-05-27), no official patch or workaround is available in a tagged release [1]. Users are advised to avoid using session replay with untrusted JSON files or to apply the code change from the main branch manually [1]. The CVE is not yet listed in the KEV catalog.

References
  1. OS Command Injection in Microsoft UFO Shell Action Replay via Stored Session JSON

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Microsoft/Ufoinferred2 versions
    <=3.0.0+ 1 more
    • (no CPE)range: <=3.0.0
    • (no CPE)range: <=3.0.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Stored action parameters are passed directly to subprocess.Popen() with shell=True and executable=powershell.exe, allowing shell interpretation of attacker-controlled command strings during session replay."

Attack vector

An attacker who can write or modify a UFO session/action JSON file plants a shell action with an attacker-controlled `params.command` value [ref_id=1]. When the victim resumes or replays the poisoned session, the call chain reaches `RunShellCommand.execute()` or `ExecuteCommand.execute()`, which forward the stored parameters to `ShellReceiver.run_shell()` or `ShellReceiver.execute_command()` [ref_id=1]. Because `shell=True` is used with PowerShell as the executable, shell metacharacters and injected PowerShell syntax in the stored command string are interpreted by the shell, executing the attacker's arbitrary command as the UFO process user [ref_id=1].

Affected code

The vulnerable component is `ufo/automator/app_apis/shell/shell_client.py` [ref_id=1]. In v3.0.0, `ShellReceiver.run_shell()` reads a command from `params.get("command")` and passes it directly to `subprocess.Popen()` with `shell=True` and `executable=powershell.exe` [ref_id=1]. The same shell-execution behavior is reachable through `ShellReceiver.execute_command()`, invoked by `RunShellCommand.execute()` and `ExecuteCommand.execute()` [ref_id=1].

What the fix does

No patched tagged release has been published; the latest tagged release v3.0.0 remains affected [ref_id=1]. The main branch appears to have been silently hardened around 2026-03-25 by removing `shell=True` and using an explicit argument list, which prevents shell interpretation of the command string [ref_id=1]. The advisory recommends that users pinned to v3.0.0 avoid replaying untrusted session artifacts until a security release is published [ref_id=1].

Preconditions

  • inputAttacker must be able to write or modify a UFO session/action JSON file (e.g., on shared workstations, shared project/session directories, synchronized or imported UFO session directories, or via a malicious local application)
  • inputVictim must resume or replay the poisoned UFO session
  • configUFO process must be running with privileges to execute PowerShell

Reproduction

1. Check out the affected tagged release: `git clone https://github.com/microsoft/UFO.git && cd UFO && git checkout v3.0.0` [ref_id=1]. 2. Create or modify a UFO session/action JSON record to contain a shell action with attacker-controlled parameters, e.g., a `RunShell` action with `"command": "powershell -NoProfile -Command \"Set-Content -Path $env:TEMP\\ufo_shell_replay_poc.txt -Value 'UFO shell replay command executed'\""` [ref_id=1]. 3. Replay or resume the UFO session containing the planted shell action [ref_id=1]. 4. Confirm code execution by checking for the marker file `%TEMP%\ufo_shell_replay_poc.txt` containing "UFO shell replay command executed" [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.