Skip to main content

Ufo

2 CVEs product

Monthly

CVE-2026-55440 MEDIUM PATCH This Month

Session-squatting and memory exhaustion in Microsoft UFO's WebSocket server allow any authenticated client to permanently deny legitimate task owners access to their sessions or flood the shared session store with phantom entries. The COMMAND_RESULTS handler in ufo/server/ws/handler.py invoked get_or_create_session with a caller-supplied session_id but omitted the owner_client_id binding, and the message type carried no role gate - meaning any authenticated peer could pre-register arbitrary session IDs before their intended owners. This issue is not in CISA KEV and no public exploit has been identified, though the fix commit's regression tests provide a near-complete exploitation blueprint.

Microsoft Denial Of Service Ufo
NVD GitHub
CVSS 3.1
6.5
CVE-2026-54568 MEDIUM PATCH This Month

Cross-device system_info disclosure in Microsoft UFO's WebSocket server allows any authenticated DEVICE-role client to retrieve another enrolled device's server-side system_info - including hostname, IP address, and metadata tags - by supplying an arbitrary target_id in a DEVICE_INFO_REQUEST message. Affected versions 3.0.0 through 3.0.5 authenticate the caller's role but omit object-level authorization in handle_device_info_request and get_device_info (ufo/server/ws/handler.py), meaning DEVICE clients can enumerate peers that only CONSTELLATION controllers should be able to query. No public exploit identified at time of analysis; vendor-released patch is version 3.0.6.

Authentication Bypass Microsoft Ufo
NVD GitHub
CVSS 3.1
4.3
CVSS 6.5
MEDIUM PATCH This Month

Session-squatting and memory exhaustion in Microsoft UFO's WebSocket server allow any authenticated client to permanently deny legitimate task owners access to their sessions or flood the shared session store with phantom entries. The COMMAND_RESULTS handler in ufo/server/ws/handler.py invoked get_or_create_session with a caller-supplied session_id but omitted the owner_client_id binding, and the message type carried no role gate - meaning any authenticated peer could pre-register arbitrary session IDs before their intended owners. This issue is not in CISA KEV and no public exploit has been identified, though the fix commit's regression tests provide a near-complete exploitation blueprint.

Microsoft Denial Of Service Ufo
NVD GitHub
CVSS 4.3
MEDIUM PATCH This Month

Cross-device system_info disclosure in Microsoft UFO's WebSocket server allows any authenticated DEVICE-role client to retrieve another enrolled device's server-side system_info - including hostname, IP address, and metadata tags - by supplying an arbitrary target_id in a DEVICE_INFO_REQUEST message. Affected versions 3.0.0 through 3.0.5 authenticate the caller's role but omit object-level authorization in handle_device_info_request and get_device_info (ufo/server/ws/handler.py), meaning DEVICE clients can enumerate peers that only CONSTELLATION controllers should be able to query. No public exploit identified at time of analysis; vendor-released patch is version 3.0.6.

Authentication Bypass Microsoft Ufo
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy