Description
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages and reuses an existing in-memory session object if that session_id already exists. If a prior session has completed and remains in memory with populated results, a different authenticated client can send a new TASK message using the same session_id. The server re-enters the existing session object and sends the stale stored result to the new requester through the normal send_task_end() callback path. This is an authenticated cross-client stale result replay issue. The issue requires that the attacker knows or can predict a live or recently completed session_id.
Published: 2026-05-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Microsoft UFO version 3.0.1-4-ge2626659 accepts client-supplied session identifiers in WebSocket task messages and reuses an existing in-memory session if that session_id already exists. When a previously completed session remains in memory, a different authenticated user can send a new TASK message using the same session_id. The server then re-enters the session and sends the stored, stale result to the new requester through the normal send_task_end() callback. This produces an authenticated cross-client replay of stale task results, potentially revealing confidential information that the attacker did not originally authorise.

Affected Systems

Microsoft UFO – version 3.0.1-4-ge2626659 is affected. The issue is triggered when client-supplied session_id values are accepted on the WebSocket endpoint. No other Microsoft products are listed as impacted in the current advisory.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires authenticated access and knowledge or prediction of a live or recently completed session_id, meaning that an attacker must first obtain legitimate authentication before the replay can occur. If the attacker obtains these credentials, they can potentially read stale results intended for previous users, leading to information disclosure. The vulnerability can be mitigated by upgrading to a patched version, if available, or applying workarounds until an official fix is released.

Generated by OpenCVE AI on May 27, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Microsoft UFO to the latest patched version that validates session identifiers and rejects client-supplied session IDs
  • If an update is unavailable, restrict the WebSocket task submission endpoint to trusted clients or disable it entirely in environments where unused automation is not required
  • Implement logging and monitoring to detect repeated use of the same session_id across different users and investigate any suspicious activity

Generated by OpenCVE AI on May 27, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft ufo
Vendors & Products Microsoft
Microsoft ufo

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages and reuses an existing in-memory session object if that session_id already exists. If a prior session has completed and remains in memory with populated results, a different authenticated client can send a new TASK message using the same session_id. The server re-enters the existing session object and sends the stale stored result to the new requester through the normal send_task_end() callback path. This is an authenticated cross-client stale result replay issue. The issue requires that the attacker knows or can predict a live or recently completed session_id.
Title Microsoft UFO reuses client-supplied WebSocket session IDs and replays stale task results to new authenticated requesters
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Microsoft Ufo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T13:18:09.622Z

Reserved: 2026-05-14T20:42:31.368Z

Link: CVE-2026-46544

cve-icon Vulnrichment

Updated: 2026-05-28T13:18:03.748Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T23:16:48.247

Modified: 2026-05-28T18:56:36.823

Link: CVE-2026-46544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:21:42Z

Weaknesses