Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-reachable WebSocket server requires authenticated DEVICE registration (PR:L); impact is limited to peer device metadata disclosure with no integrity or availability consequences.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to the UFO WebSocket server as a DEVICE could call DEVICE_INFO_REQUEST with another device's target_id and receive that device's server-side system_info through ufo/server/ws/handler.py, because handle_device_info_request and get_device_info did not enforce the constellation-only role or object-level authorization boundary. This issue is fixed in version 3.0.6.
AnalysisAI
Cross-device system_info disclosure in Microsoft UFO's WebSocket server allows any authenticated DEVICE-role client to retrieve another enrolled device's server-side system_info - including hostname, IP address, and metadata tags - by supplying an arbitrary target_id in a DEVICE_INFO_REQUEST message. Affected versions 3.0.0 through 3.0.5 authenticate the caller's role but omit object-level authorization in handle_device_info_request and get_device_info (ufo/server/ws/handler.py), meaning DEVICE clients can enumerate peers that only CONSTELLATION controllers should be able to query. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated connection to the UFO WebSocket server with the client registered in the DEVICE role - the attacker must either control a legitimately enrolled device in the UFO ecosystem or have compromised the credentials or active WebSocket session of an existing DEVICE client (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (Medium) accurately reflects the bounded impact: network-reachable (AV:N), low complexity (AC:L), low-privilege authenticated caller (PR:L), no user interaction (UI:N), no scope change (S:U), and limited confidentiality impact (C:L) with no integrity or availability dimensions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls a device enrolled in the UFO automation network - or who has stolen a DEVICE-role WebSocket session - connects to the UFO WebSocket server and sends a valid DEVICE_INFO_REQUEST message with target_id set to the client_id of a high-value peer device (e.g., a finance workstation). The pre-3.0.6 server returns that device's system_info object containing hostname, IP address, and organizational tags without any authorization check. … |
| Remediation | Upgrade to Microsoft UFO version 3.0.6, which enforces constellation-only role checks and object-level authorization boundaries in handle_device_info_request and get_device_info (patch commit https://github.com/microsoft/UFO/commit/2558da4e7dd05096aa6b489eca64efed96126713; release https://github.com/microsoft/UFO/releases/tag/3.0.6). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44943