Skip to main content

Microsoft UFO CVE-2026-55440

| EUVDEUVD-2026-44947 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-07-16 GitHub_M
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network WebSocket endpoint requires authenticated client (PR:L); only availability is impacted via session exhaustion, no confidentiality or integrity consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 17:03 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 16:17 vuln.today
Analysis Generated
Jul 16, 2026 - 16:17 vuln.today
CVE Published
Jul 16, 2026 - 15:35 cve.org
MEDIUM 6.5

DescriptionCVE.org

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Prior to 3.0.7, the COMMAND_RESULTS handler in ufo/server/ws/handler.py called get_or_create_session in ufo/server/services/session_manager.py without owner_client_id, allowing an authenticated client to create an unowned attacker-chosen session_id such as constellation_task_id = f"{task_name}@{task_id}" and deny the legitimate owner or exhaust memory with phantom sessions. This issue is fixed in version 3.0.7.

AnalysisAI

Session-squatting and memory exhaustion in Microsoft UFO's WebSocket server allow any authenticated client to permanently deny legitimate task owners access to their sessions or flood the shared session store with phantom entries. The COMMAND_RESULTS handler in ufo/server/ws/handler.py invoked get_or_create_session with a caller-supplied session_id but omitted the owner_client_id binding, and the message type carried no role gate - meaning any authenticated peer could pre-register arbitrary session IDs before their intended owners. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as any UFO WebSocket client
Delivery
Send COMMAND_RESULTS with attacker-chosen session_id
Exploit
Handler calls get_or_create_session without owner binding
Execution
Phantom session injected into shared session store
Persist
Legitimate owner raises SessionOwnershipError on claim
Impact
Task session permanently denied or memory exhausted

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WebSocket connection to the UFO server - the attacker must be a registered client, consistent with CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 6.5 (Medium) vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H is well-aligned with the described behavior: network-accessible, low attack complexity, requires an authenticated (low-privilege) client, produces high availability impact, and has no confidentiality or integrity consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated WebSocket client sends a COMMAND_RESULTS message to the UFO server bearing a session_id crafted to match a predictable upcoming task identifier (e.g., 'constellation-demo@task_001'). The unpatched handler calls get_or_create_session without owner_client_id, registering a phantom session with no owner; when the legitimate constellation client subsequently attempts to claim that session, SessionOwnershipError is raised and the task is permanently blocked. …
Remediation Upgrade to Microsoft UFO version 3.0.7, the vendor-released patch available at https://github.com/microsoft/UFO/releases/tag/3.0.7 (fix commit https://github.com/microsoft/UFO/commit/cc653bde75337ab60c320e6b7cb61b86ba6ca948). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy