Microsoft UFO
CVE-2026-46538
MEDIUM
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by session_id only and does not verify that a TASK_END message came from the device that originally received the task. When the constellation sends a task to a target device, it records a pending Future under a session key. The pending task record stores the expected device ID, but the completion path ignores that binding. If another authenticated peer device sends a forged TASK_END with the same session_id, the constellation accepts the response and completes the victim device's pending Future with attacker-controlled result data. This is an authenticated cross-device task-result injection issue.
AnalysisAI
Authenticated cross-device task-result injection in Microsoft UFO's constellation architecture allows a low-privileged peer device to hijack the pending task response of a victim device by spoofing a TASK_END message. Specifically in version 3.0.1-4-ge2626659, the constellation server resolves pending Futures keyed solely on session_id without binding verification to the originating device, meaning any authenticated constellation participant who can supply a matching session_id can substitute attacker-controlled result data into the victim device's task flow. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, though the high-complexity CVSS vector (AC:H) reflects the session_id guessing or observation requirement.
Technical ContextAI
Microsoft UFO is an open-source agentic automation framework that coordinates tasks across multiple devices via a constellation server. The constellation dispatches tasks to target devices and tracks their completion using Python asyncio Future objects keyed by session_id. According to the advisory, the pending task record internally stores the expected device ID binding, but the TASK_END completion handler does not enforce that binding - it resolves the Future for any authenticated peer that presents the correct session_id. CWE-294 (Authentication Bypass by Capture-Replay) describes the root cause class: the framework authenticates participants at connection time but does not re-verify device identity at the message-handling level, allowing a legitimately authenticated device to act on behalf of another. Affected CPE is cpe:2.3:a:microsoft:ufo:*:*:*:*:*:*:*:*, with the specific vulnerable commit identified as 3.0.1-4-ge2626659.
RemediationAI
The primary reference is the GitHub Security Advisory GHSA-wmq2-74rj-7pjc at https://github.com/microsoft/UFO/security/advisories/GHSA-wmq2-74rj-7pjc; consult it for the upstream patch commit or patched release version, as no exact fix version number was included in the available intelligence - upstream fix availability via PR or commit is plausible but a released tagged version has not been independently confirmed from this data. As a compensating control pending patch application, restrict constellation membership strictly to mutually trusted, isolated devices using network-level access controls (e.g., firewall rules limiting which hosts can join the constellation), reducing the pool of peers who could send forged TASK_END messages. Additionally, adding server-side device-ID binding enforcement in the TASK_END handler - validating that the responding device matches the original dispatch record - would directly close the logical gap, and operators with the ability to patch locally should apply this fix. Note that restricting constellation membership may impact the multi-device automation use cases UFO is designed for, so the trade-off must be weighed against operational requirements.
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today