Skip to main content

Microsoft UFO EUVDEUVD-2026-44943

| CVE-2026-54568 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-16 GitHub_M
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable WebSocket server requires authenticated DEVICE registration (PR:L); impact is limited to peer device metadata disclosure with no integrity or availability consequences.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 17:03 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 16:16 vuln.today
Analysis Generated
Jul 16, 2026 - 16:16 vuln.today
CVE Published
Jul 16, 2026 - 15:32 cve.org
MEDIUM 4.3

DescriptionCVE.org

Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to the UFO WebSocket server as a DEVICE could call DEVICE_INFO_REQUEST with another device's target_id and receive that device's server-side system_info through ufo/server/ws/handler.py, because handle_device_info_request and get_device_info did not enforce the constellation-only role or object-level authorization boundary. This issue is fixed in version 3.0.6.

AnalysisAI

Cross-device system_info disclosure in Microsoft UFO's WebSocket server allows any authenticated DEVICE-role client to retrieve another enrolled device's server-side system_info - including hostname, IP address, and metadata tags - by supplying an arbitrary target_id in a DEVICE_INFO_REQUEST message. Affected versions 3.0.0 through 3.0.5 authenticate the caller's role but omit object-level authorization in handle_device_info_request and get_device_info (ufo/server/ws/handler.py), meaning DEVICE clients can enumerate peers that only CONSTELLATION controllers should be able to query. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain DEVICE-role credentials or compromise enrolled UFO device
Delivery
Connect to UFO WebSocket server and register as DEVICE
Exploit
Send DEVICE_INFO_REQUEST with victim device's target_id
Execution
Server returns victim's system_info without authorization check
Impact
Harvest hostname, IP, and tags for lateral movement reconnaissance

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated connection to the UFO WebSocket server with the client registered in the DEVICE role - the attacker must either control a legitimately enrolled device in the UFO ecosystem or have compromised the credentials or active WebSocket session of an existing DEVICE client (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (Medium) accurately reflects the bounded impact: network-reachable (AV:N), low complexity (AC:L), low-privilege authenticated caller (PR:L), no user interaction (UI:N), no scope change (S:U), and limited confidentiality impact (C:L) with no integrity or availability dimensions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls a device enrolled in the UFO automation network - or who has stolen a DEVICE-role WebSocket session - connects to the UFO WebSocket server and sends a valid DEVICE_INFO_REQUEST message with target_id set to the client_id of a high-value peer device (e.g., a finance workstation). The pre-3.0.6 server returns that device's system_info object containing hostname, IP address, and organizational tags without any authorization check. …
Remediation Upgrade to Microsoft UFO version 3.0.6, which enforces constellation-only role checks and object-level authorization boundaries in handle_device_info_request and get_device_info (patch commit https://github.com/microsoft/UFO/commit/2558da4e7dd05096aa6b489eca64efed96126713; release https://github.com/microsoft/UFO/releases/tag/3.0.6). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44943 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy