CVE-2026-46538
Description
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by session_id only and does not verify that a TASK_END message came from the device that originally received the task. When the constellation sends a task to a target device, it records a pending Future under a session key. The pending task record stores the expected device ID, but the completion path ignores that binding. If another authenticated peer device sends a forged TASK_END with the same session_id, the constellation accepts the response and completes the victim device's pending Future with attacker-controlled result data. This is an authenticated cross-device task-result injection issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Microsoft UFO's constellation client accepts forged TASK_END messages from any authenticated peer, allowing cross-device task-result injection.
Vulnerability
In Microsoft UFO version 3.0.1-4-ge2626659, the constellation client's task completion logic does not verify that a TASK_END message originates from the device that originally received the task. Pending tasks are stored in connection_manager.py keyed by session ID only, and the completion handler in message_processor.py resolves the pending Future without comparing the sender's device ID against the stored target device ID. This allows any authenticated peer device to inject a forged TASK_END with a known session ID.
Exploitation
An attacker must be an authenticated peer device on the same constellation network. The attacker needs to know a pending session ID (e.g., by observing network traffic or guessing). They then send a crafted TASK_END message containing that session ID and attacker-controlled result data. The constellation client accepts the message and completes the victim device's pending Future with the attacker's data.
Impact
Successful exploitation enables an authenticated attacker to inject arbitrary result data into a pending task response of another device. This can lead to data corruption, misdirection of downstream processing, or further compromise depending on how the task result is consumed. The vulnerability is classified as an authenticated cross-device task-result injection.
Mitigation
Microsoft has released a security update addressing this issue; users should upgrade to the latest version of the UFO framework. See the advisory [1] for the fixed version and upgrade instructions. No workaround is available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing device-identity verification in task completion path allows cross-device task-result injection."
Attack vector
An attacker who is an authenticated peer device on the same constellation can forge a TASK_END message containing the same `session_id` as a pending task assigned to a victim device [ref_id=1]. The constellation's message processor accepts the message without verifying that the sender device matches the device that originally received the task [ref_id=1]. The pending Future is then resolved with the attacker-controlled result data, achieving cross-device task-result injection [CWE-345] (note: derived from "cross-device task-result injection" in ref_id=1). The attacker must know or guess the pending session_id (e.g., `demo@task-123`) and be able to send a crafted WebSocket message to the constellation server [ref_id=1].
Affected code
The vulnerability resides in `galaxy/client/components/connection_manager.py` and `galaxy/client/components/message_processor.py` [ref_id=1]. In `connection_manager.py`, pending tasks are stored keyed only by session ID (`self._pending_tasks[task_id] = (device_id, task_future)`) and the completion path (`complete_task_response`) looks up the task by session ID without verifying the stored device_id matches the sender [ref_id=1]. In `message_processor.py`, the `_handle_task_completion` handler extracts `session_id` from the incoming message but never compares the sender's `device_id` against the original target device stored in the pending task record [ref_id=1].
What the fix does
No patch is included in the bundle; the advisory [ref_id=1] describes the expected secure behavior but does not provide a code fix. The advisory states that the constellation should reject the TASK_END because it arrived on the attacker-device's channel while the pending task was assigned to the victim-device [ref_id=1]. A remediation would require the `complete_task_response` method in `connection_manager.py` to compare the sender's device_id against the stored device_id from the pending task tuple and reject the message if they do not match [ref_id=1].
Preconditions
- authAttacker must be an authenticated peer device connected to the same constellation
- inputAttacker must know or guess the session_id of a pending task assigned to another device
- networkAttacker must be able to send a forged TASK_END message over the WebSocket channel
Reproduction
The advisory [ref_id=1] includes a full PoC script. To reproduce: clone the UFO repository at commit `e2626659`, save the PoC as `/tmp/ufo_task_end_injection_poc.py`, set `UFO_REPO_ROOT` to the checkout path, and run `python -B /tmp/ufo_task_end_injection_poc.py`. The script registers a pending task Future for `victim-device` under session ID `demo@task-123`, then delivers a forged TASK_END on the `attacker-device` channel. The observed output confirms the victim-device's Future is completed with the attacker-controlled result `{'output': 'spoofed by peer'}` [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.