Description
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing session log paths. An authenticated client can supply path traversal sequences in task_name and cause UFO to create log directories and log files outside the intended logs/ directory.
Published: 2026-05-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user to supply a task_name that contains directory traversal sequences, which Microsoft UFO uses directly when building the session log path. This flaw lets the attacker create directories and files outside the intended logs directory, potentially tampering with logs or creating non‑log files. The weakness maps to CWE-22 (Path Traversal) and CWE-73 (Incorrect Log File Path). The impact is the ability to write files in unintended locations with the privileges of the UFO process, which may facilitate persistence or tampering.

Affected Systems

Microsoft UFO, version 3.0.1-4-ge2626659, is impacted. The vulnerability exists in the log path construction logic and applies to all installations of this specific release running on any platform the framework supports.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability. With an authenticated attacker who can control the task_name, exploitation does not require additional privileges beyond those granted to a user able to create tasks. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, but the high CVSS suggests that detection and remediation should be treated as a priority. The attack path is straightforward: supply a crafted task_name during task creation or task configuration and trigger log generation, causing UFO to write files outside the logs directory.

Generated by OpenCVE AI on May 27, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Microsoft UFO to a fixed release that sanitizes task_name when constructing log paths.
  • If an upgrade is not possible, enforce file system ACLs so that only the UFO process can write inside the intended logs directory and deny write access to all other directories.
  • Restrict task creation to trusted users or enforce a policy that disallows path traversal characters in task_name strings.

Generated by OpenCVE AI on May 27, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing session log paths. An authenticated client can supply path traversal sequences in task_name and cause UFO to create log directories and log files outside the intended logs/ directory.
Title Microsoft UFO uses untrusted task_name in log paths, allowing authenticated path traversal and log file creation outside the logs directory
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T21:54:06.646Z

Reserved: 2026-05-13T21:04:10.932Z

Link: CVE-2026-46402

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T23:16:47.700

Modified: 2026-05-27T23:16:47.700

Link: CVE-2026-46402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T23:30:45Z

Weaknesses