CVE-2026-46416

Published: May 27, 2026

Modified: May 28, 2026

PUBLISHED

CVSS v3.1

6.3

MEDIUM

Description

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in mutable instance fields. Each new WebSocket connection overwrites those fields. Later, message handlers send responses through the shared fields instead of through protocol objects bound to the originating connection. As a result, the most recently connected authenticated client can receive protocol responses that belong to another authenticated client.

Vendor	Product	Versions
microsoft	UFO	affected `3.0.1-4-ge2626659`

Weaknesses (CWE)

CWE-284

CWE-488

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://github.com/microsoft/UFO/security/advisories/GHSA-cwwh-p9rv-4pj4

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-46416

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References