CVE-2026-46416 - Vulnerability Details

- Microsoft UFO shared WebSocket handler state causes cross-client response hijacking

Description

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in mutable instance fields. Each new WebSocket connection overwrites those fields. Later, message handlers send responses through the shared fields instead of through protocol objects bound to the originating connection. As a result, the most recently connected authenticated client can receive protocol responses that belong to another authenticated client.

Published: 2026-05-27

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when the UFO framework reuses a single UFOWebSocketHandler instance across multiple authenticated WebSocket connections. Because the handler stores protocol objects in mutable fields, a new connection overwrites the previous client’s state. Subsequent message handling routes responses through these shared fields, causing responses that belong to one authenticated client to be delivered to another. This results in cross‑client response hijacking, exposing sensitive data or disrupting user sessions.

Affected Systems

Microsoft UFO, version 3.0.1-4-ge2626659, and any subsequent releases built from the same 3.x branch that retain the shared handler implementation. The issue is specific to the UFOWebSocketHandler when used in authenticated contexts.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate risk. There is no EPSS data and the vulnerability is not listed in CISA’s KEV catalog, suggesting it is not currently widely exploited. Based on the description, the attack vector involves a legitimate authenticated client that can establish a WebSocket connection to the targeted service. Once connected, the attacker can trigger message exchanges and receive data intended for other authenticated clients, thereby leaking information between users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

microsoft

UFO

affected

Version	Status	Constraints
`3.0.1-4-ge2626659`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Microsoft UFO to a release that removes the shared UFOWebSocketHandler or corrects per‑connection state handling
If an immediate upgrade is unavailable, reconfigure the framework (if supported) to instantiate a new UFOWebSocketHandler for each authenticated connection instead of reusing a shared instance
Increase monitoring of WebSocket traffic for anomalous message routing and log response destinations to detect cross‑client leaks

Generated by OpenCVE AI on May 27, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/microsoft/UFO/security/advisories/GHSA-cwwh-p9rv-4pj4

History

Thu, 28 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in mutable instance fields. Each new WebSocket connection overwrites those fields. Later, message handlers send responses through the shared fields instead of through protocol objects bound to the originating connection. As a result, the most recently connected authenticated client can receive protocol responses that belong to another authenticated client.
Title		Microsoft UFO shared WebSocket handler state causes cross-client response hijacking
Weaknesses		CWE-284 CWE-488
References		https://github.com/microsoft/UFO/security/advisories/GHSA-cwwh-p9rv-4pj4
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T21:56:14.234Z

Updated: 2026-05-28T13:01:35.272Z

Reserved: 2026-05-13T21:04:10.933Z

Link: CVE-2026-46416

Vulnrichment

Updated: 2026-05-28T13:01:23.502Z

NVD

Status : Deferred

Published: 2026-05-27T23:16:47.973

Modified: 2026-05-28T18:56:36.823

Link: CVE-2026-46416

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T23:30:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object