Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network WebSocket endpoint requires authenticated client (PR:L); only availability is impacted via session exhaustion, no confidentiality or integrity consequence.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Microsoft UFO open-source framework for intelligent automation across devices and platforms. Prior to 3.0.7, the COMMAND_RESULTS handler in ufo/server/ws/handler.py called get_or_create_session in ufo/server/services/session_manager.py without owner_client_id, allowing an authenticated client to create an unowned attacker-chosen session_id such as constellation_task_id = f"{task_name}@{task_id}" and deny the legitimate owner or exhaust memory with phantom sessions. This issue is fixed in version 3.0.7.
AnalysisAI
Session-squatting and memory exhaustion in Microsoft UFO's WebSocket server allow any authenticated client to permanently deny legitimate task owners access to their sessions or flood the shared session store with phantom entries. The COMMAND_RESULTS handler in ufo/server/ws/handler.py invoked get_or_create_session with a caller-supplied session_id but omitted the owner_client_id binding, and the message type carried no role gate - meaning any authenticated peer could pre-register arbitrary session IDs before their intended owners. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WebSocket connection to the UFO server - the attacker must be a registered client, consistent with CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 6.5 (Medium) vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H is well-aligned with the described behavior: network-accessible, low attack complexity, requires an authenticated (low-privilege) client, produces high availability impact, and has no confidentiality or integrity consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated WebSocket client sends a COMMAND_RESULTS message to the UFO server bearing a session_id crafted to match a predictable upcoming task identifier (e.g., 'constellation-demo@task_001'). The unpatched handler calls get_or_create_session without owner_client_id, registering a phantom session with no owner; when the legitimate constellation client subsequently attempts to claim that session, SessionOwnershipError is raised and the task is permanently blocked. … |
| Remediation | Upgrade to Microsoft UFO version 3.0.7, the vendor-released patch available at https://github.com/microsoft/UFO/releases/tag/3.0.7 (fix commit https://github.com/microsoft/UFO/commit/cc653bde75337ab60c320e6b7cb61b86ba6ca948). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44947