CVE 8.8 HIGH

Microsoft UFO WebSocket role spoofing allows authenticated peer task hijacking_CVE-2026-46414

May 27, 2026 invoker category_cve
8.8 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK message claiming client_type="constellation" and target_id=<victim-device-id>. The server trusts the role and target values from the wire message rather than enforcing the role registered for that WebSocket connection. As a result, any authenticated WebSocket client with the shared server token can spoof the higher-privilege constellation role and dispatch attacker-controlled tasks to another connected device. The same client registry also allows duplicate client_id registration, overwriting an existing live client's stored websocket, role, and task protocol. This is an authenticated WebSocket role/identity spoofing issue leading to peer task hijacking.

AI Analysis

Authenticated WebSocket role/identity spoofing issue leading to peer task hijacking in Microsoft UFO

Basic Information

ID CVE-2026-46414
Source GitHub_M
Published May 27, 2026 at 21:54

Affected Product

Vendor microsoft
Product UFO
Version 3.0.1-4-ge2626659
Affected Versions microsoft UFO 3.0.1-4-ge2626659

CWE Classification

CWE-290 CWE-639 CWE-862

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor Microsoft
Product UFO
Version 3.0.1-4-ge2626659

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.