Description
Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to the UFO WebSocket server as a DEVICE could call DEVICE_INFO_REQUEST with another device's target_id and receive that device's server-side system_info through ufo/server/ws/handler.py, because handle_device_info_request and get_device_info did not enforce the constellation-only role or object-level authorization boundary. This issue is fixed in version 3.0.6.
Published: 2026-07-16
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 16 Jul 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft ufo
Vendors & Products Microsoft
Microsoft ufo

Thu, 16 Jul 2026 16:00:00 +0000

Type Values Removed Values Added
Description Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to the UFO WebSocket server as a DEVICE could call DEVICE_INFO_REQUEST with another device's target_id and receive that device's server-side system_info through ufo/server/ws/handler.py, because handle_device_info_request and get_device_info did not enforce the constellation-only role or object-level authorization boundary. This issue is fixed in version 3.0.6.
Title Microsoft UFO: Missing Authorization in DEVICE_INFO_REQUEST Allows a DEVICE Client to Read Another Device's system_info
Weaknesses CWE-639
CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-16T18:03:30.788Z

Reserved: 2026-06-15T19:15:27.343Z

Link: CVE-2026-54568

cve-icon Vulnrichment

Updated: 2026-07-16T18:02:31.096Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-16T17:45:03Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-862

    Missing Authorization