Microsoft UFO
CVE-2026-45322
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.run_shell() passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. The same shell-execution behavior is also reachable through ShellReceiver.execute_command(). The shell receiver is invoked by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters to the shell receiver. Because UFO stores planned and executed actions in per-session JSON records, an attacker who can write or modify a session/action JSON file can plant a shell action. When the session is resumed or replayed, UFO executes the attacker's command as the UFO process user.
AnalysisAI
Arbitrary OS command execution in Microsoft's UFO intelligent-automation framework (tagged releases up to and including v3.0.0) lets a local, low-privileged attacker who can write or modify a per-session action JSON record plant a malicious shell action that is executed via PowerShell when the session is resumed or replayed. The injected command runs with the privileges of the UFO process user, yielding full confidentiality, integrity, and availability impact (CVSS 7.8, CWE-78). There is no public exploit identified at time of analysis, and no EPSS or CISA KEV data was supplied to gauge exploitation likelihood.
Technical ContextAI
UFO is Microsoft's open-source agentic automation framework that drives actions across Windows applications and platforms (CPE cpe:2.3:a:microsoft:ufo). The root cause is a classic CWE-78 OS command injection: ShellReceiver.run_shell() takes a command string sourced from action parameters and hands it directly to subprocess.Popen() with shell=True and executable=powershell.exe, with no quoting or sanitization, so any shell metacharacters in the parameter are interpreted by PowerShell. The same unsafe execution path is also reachable via ShellReceiver.execute_command(). These receivers are invoked by the action classes RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters downstream. The critical design factor is that UFO persists planned and executed actions in per-session JSON files; that on-disk record becomes the injection sink because its contents are trusted and re-executed verbatim on session resume/replay.
RemediationAI
Upgrade to a UFO release newer than v3.0.0 once the maintainers publish a fixed build; consult the vendor advisory GHSA-wj72-7w8h-695f (https://github.com/microsoft/UFO/security/advisories/GHSA-wj72-7w8h-695f) for the exact patched version, as a released patched version is not independently confirmed from the available data. Until a verified patch is applied, the most direct compensating control is to lock down filesystem permissions on the per-session/action JSON directories so only the UFO process user (and no lower-privileged local user) can write them, which closes the injection sink but may break multi-user or shared-workspace setups. Additional controls: do not resume or replay sessions whose JSON records originate from untrusted or shared locations; run UFO under a dedicated least-privilege service account to limit the blast radius of any injected command; and if the shell action capability is not required, disable or remove the RunShellCommand/ExecuteCommand pathway, accepting the trade-off that automation flows relying on shell execution will stop working.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today