CVE-2026-46402

An authenticated attacker sends a WebSocket or HTTP task request containing path traversal sequences (e.g., `../`) in the `task_name` field. The UFO server passes this untrusted value into session creation without sanitization. `BaseSession` constructs a log path as `f"logs/{task}/"`, which resolves outside the intended `logs/` directory when `task_name` contains `../`. The server then creates the directory and writes `response.log`, `request.log`, and `evaluation.log` at the attacker-controlled location [ref_id=1].

The vulnerability spans multiple files. The WebSocket handler at `ufo/server/ws/handler.py` and the HTTP dispatch path at `ufo/server/services/api.py` both accept an attacker-controlled `task_name` from the client. This value is forwarded through `ufo/server/services/session_manager.py` into `BaseSession` in `ufo/module/basic.py`, where it is used directly to construct `self.log_path = f"logs/{task}/"` and passed to `os.makedirs()` via `ufo/utils/__init__.py`. No validation or normalization is applied to `task_name` at any point in this flow [ref_id=1].

No patch is published in the bundle. The advisory recommends rejecting unsafe `task_name` values containing path separators, `..`, drive prefixes, or absolute paths; generating server-owned opaque directory names for log storage instead of using user-facing task names; normalizing and resolving the final log path and verifying it remains under the intended log root; and using allowlisted characters for any filesystem-facing identifier [ref_id=1].

The advisory includes a full Python PoC that instantiates a minimal `BaseSession` subclass with `task="../ufo_taskname_escape_poc"`. Run with `UFO_REPO=/path/to/UFO python -B embedded_poc.py`. The PoC verifies the source code paths, creates a `DummySession` with the traversal payload, and confirms that `log_path` resolves outside `logs/` and that `response.log`, `request.log`, and `evaluation.log` are created at the escaped location [ref_id=1].