CVE-2026-46414 - Vulnerability Details

Description

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK message claiming client_type="constellation" and target_id=<victim-device-id>. The server trusts the role and target values from the wire message rather than enforcing the role registered for that WebSocket connection. As a result, any authenticated WebSocket client with the shared server token can spoof the higher-privilege constellation role and dispatch attacker-controlled tasks to another connected device. The same client registry also allows duplicate client_id registration, overwriting an existing live client's stored websocket, role, and task protocol. This is an authenticated WebSocket role/identity spoofing issue leading to peer task hijacking.

Published: 2026-05-27

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a WebSocket control plane flaw that trusts client‐supplied identity and role fields in task messages, allowing an authenticated client to claim a higher‑privilege role. This can enable the attacker to dispatch arbitrary tasks to any connected device, effectively taking control of that device’s operations. The weakness corresponds to authentication and privilege control (CWE‑290), subverted authorization (CWE‑639), and authority control (CWE‑862).

Affected Systems

Microsoft UFO, open‑source intelligent automation framework, versions circa 3.0.1-4-ge2626659. Any instance deploying that build and exposing the WebSocket control plane is vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. EPSS is unavailable and the issue is not in CISA’s KEV catalog, but the flaw is authenticated and arises from trusting client data, so exploitation requires a valid WebSocket session and a shared server token. Once accessed, an attacker can run malicious tasks on any target device connected to the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

microsoft

UFO

affected

Version	Status	Constraints
`3.0.1-4-ge2626659`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Microsoft UFO to a patched version that enforces server‑side role validation for WebSocket connections.
Rotate or change the shared server authentication token to limit the window of privilege escalation for compromised connections.
Configure the server to reject or closely validate TASK messages that claim client_type="constellation" unless originating from a privileged, pre‑registered connector, mitigating the role spoofing vector.

Generated by OpenCVE AI on May 27, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/microsoft/UFO/security/advisories/GHSA-qgx6-cvhg-jw7p

History

Wed, 27 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK message claiming client_type="constellation" and target_id=<victim-device-id>. The server trusts the role and target values from the wire message rather than enforcing the role registered for that WebSocket connection. As a result, any authenticated WebSocket client with the shared server token can spoof the higher-privilege constellation role and dispatch attacker-controlled tasks to another connected device. The same client registry also allows duplicate client_id registration, overwriting an existing live client's stored websocket, role, and task protocol. This is an authenticated WebSocket role/identity spoofing issue leading to peer task hijacking.
Title		Microsoft UFO WebSocket role spoofing allows authenticated peer task hijacking
Weaknesses		CWE-290 CWE-639 CWE-862
References		https://github.com/microsoft/UFO/security/advisories/GHSA-qgx6-cvhg-jw7p
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T21:54:51.681Z

Updated: 2026-05-27T21:54:51.681Z

Reserved: 2026-05-13T21:04:10.933Z

Link: CVE-2026-46414

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-27T23:16:47.833

Modified: 2026-05-27T23:16:47.833

Link: CVE-2026-46414

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T23:30:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object