Six CVEs Disclosed in Microsoft UFO Open-Source Automation Framework
Six vulnerabilities, including two rated High severity, were disclosed on May 27, 2026, in Microsoft's open-source UFO intelligent automation framework, spanning session hijacking, privilege escalation, path traversal, and OS command injection.
Microsoft's open-source UFO framework — an intelligent automation platform for orchestrating tasks across devices and platforms — landed in the spotlight on May 27, 2026, when six CVEs were disclosed in a single batch. The vulnerabilities affect UFO versions up to and including the 3.0.1-4-ge2626659 commit, with two rated High severity (CVSS 8.8 and 8.1) and one reaching CVSS 7.8 for a command injection flaw in the tagged release branch. The batch spans session management weaknesses, authentication bypass, path traversal, and a dangerous OS command injection in the shell action replay path.
The most severe of the batch is CVE-2026-46414 (CVSS 8.8, High), which stems from UFO's WebSocket control plane trusting client-supplied identity and role fields in task messages. A client that registers as a normal device can later send a TASK message claiming a controller role — effectively impersonating a controller or administrator. This allows an attacker to escalate privileges and issue arbitrary commands across the UFO constellation without proper server-side authorization checks.
A related session-management flaw, CVE-2026-46544 (CVSS 5.3, Medium), allows an authenticated client to supply a session_id value in WebSocket task messages that matches a prior completed session. Because UFO reuses existing in-memory session objects when a matching session_id is found, an attacker can hijack a stale session and inherit whatever permissions or task context that session carried.
CVE-2026-46538 (CVSS 5.9, Medium) targets UFO's constellation client, which tracks pending task responses by session_id alone. The client does not verify that a TASK_END message originated from the device that originally received the task. An attacker who can inject messages into the WebSocket stream can send a forged TASK_END response, causing the constellation client to prematurely conclude a task or accept a spoofed result — potentially derailing multi-step automation workflows.
CVE-2026-46416 (CVSS 6.3, Medium) describes a concurrency hazard in UFO's WebSocket layer. The framework creates one shared UFOWebSocketHandler instance and reuses it across multiple authenticated WebSocket connections. Per-connection protocol objects are stored in mutable instance fields, meaning one client's connection state can leak into another's. An attacker on the same UFO instance could observe or interfere with another device's protocol negotiation, potentially leading to information disclosure or denial of service.
CVE-2026-46402 (CVSS 8.1, High) is a path traversal vulnerability in UFO's session logging mechanism. The framework uses the user-controlled task_name value directly when constructing session log directory paths. An authenticated client can supply path traversal sequences (e.g., ../../) in task_name and cause UFO to create log directories or write log files outside the intended logging directory. Depending on filesystem permissions, this could allow an attacker to overwrite configuration files or plant malicious content in sensitive locations.
CVE-2026-45322 (CVSS 7.8, High) affects UFO tagged releases up to and including v3.0.0. The ShellReceiver.run_shell() method passes a command string from action parameters directly to the OS shell without sanitization. An attacker who can craft or replay a shell action — for example, by exploiting one of the other session or privilege flaws in this batch — can execute arbitrary operating system commands on the UFO host. This is the only CVE in the batch that explicitly affects the tagged release branch (v3.0.0 and earlier), while the other five were identified in the 3.0.1-4-ge2626659 development commit.
Microsoft has not yet released a patched version addressing all six CVEs as of the disclosure date. Users running UFO in production environments should review the specific commit ranges affected: for CVE-2026-45322, any deployment on tagged releases v3.0.0 or earlier is vulnerable; for the remaining five CVEs, deployments at commit 3.0.1-4-ge2626659 or earlier are affected. Mitigations include restricting WebSocket access to trusted networks, validating that client-supplied identity and role fields are overridden server-side, and avoiding the use of user-controlled task_name values in filesystem operations until an official patch is available.
UFO is Microsoft's bet on cross-device intelligent automation, and this disclosure reveals fundamental trust assumptions baked into its WebSocket control plane. The cluster of session-reuse, identity-spoofing, and shared-state bugs suggests the framework's communication protocol was designed with implicit trust of client-supplied data — a pattern that, when combined with the OS command injection in the shell action path, creates a credible attack chain from low-privileged device registration to full host compromise. Users should prioritize applying patches as soon as Microsoft releases them and consider network-level segmentation of UFO WebSocket traffic in the interim.