Skip to main content

Microsoft UFO CVE-2026-45322

HIGH
OS Command Injection (CWE-78)
2026-05-27 GitHub_M
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 22:51 vuln.today
CVE Published
May 27, 2026 - 21:32 nvd
HIGH 7.8

DescriptionGitHub Advisory

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.run_shell() passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. The same shell-execution behavior is also reachable through ShellReceiver.execute_command(). The shell receiver is invoked by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters to the shell receiver. Because UFO stores planned and executed actions in per-session JSON records, an attacker who can write or modify a session/action JSON file can plant a shell action. When the session is resumed or replayed, UFO executes the attacker's command as the UFO process user.

AnalysisAI

Arbitrary OS command execution in Microsoft's UFO intelligent-automation framework (tagged releases up to and including v3.0.0) lets a local, low-privileged attacker who can write or modify a per-session action JSON record plant a malicious shell action that is executed via PowerShell when the session is resumed or replayed. The injected command runs with the privileges of the UFO process user, yielding full confidentiality, integrity, and availability impact (CVSS 7.8, CWE-78). There is no public exploit identified at time of analysis, and no EPSS or CISA KEV data was supplied to gauge exploitation likelihood.

Technical ContextAI

UFO is Microsoft's open-source agentic automation framework that drives actions across Windows applications and platforms (CPE cpe:2.3:a:microsoft:ufo). The root cause is a classic CWE-78 OS command injection: ShellReceiver.run_shell() takes a command string sourced from action parameters and hands it directly to subprocess.Popen() with shell=True and executable=powershell.exe, with no quoting or sanitization, so any shell metacharacters in the parameter are interpreted by PowerShell. The same unsafe execution path is also reachable via ShellReceiver.execute_command(). These receivers are invoked by the action classes RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters downstream. The critical design factor is that UFO persists planned and executed actions in per-session JSON files; that on-disk record becomes the injection sink because its contents are trusted and re-executed verbatim on session resume/replay.

RemediationAI

Upgrade to a UFO release newer than v3.0.0 once the maintainers publish a fixed build; consult the vendor advisory GHSA-wj72-7w8h-695f (https://github.com/microsoft/UFO/security/advisories/GHSA-wj72-7w8h-695f) for the exact patched version, as a released patched version is not independently confirmed from the available data. Until a verified patch is applied, the most direct compensating control is to lock down filesystem permissions on the per-session/action JSON directories so only the UFO process user (and no lower-privileged local user) can write them, which closes the injection sink but may break multi-user or shared-workspace setups. Additional controls: do not resume or replay sessions whose JSON records originate from untrusted or shared locations; run UFO under a dedicated least-privilege service account to limit the blast radius of any injected command; and if the shell action capability is not required, disable or remove the RunShellCommand/ExecuteCommand pathway, accepting the trade-off that automation flows relying on shell execution will stop working.

Share

CVE-2026-45322 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy