216.73.216.89

CVE-2026-46538

· Published 27/05/2026 23:16 · Modified 28/05/2026 18:56

Labels: CVE-2026-46538 2026-05-27CVE-2026-46538CWE-294[email protected]

Essential information

Published
27/05/2026 23:16
Modified
28/05/2026 18:56
Author
Creator
CVSS
5.9 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L

CVSS metrics

Description

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by session_id only and does not verify that a TASK_END message came from the device that originally received the task. When the constellation sends a task to a target device, it records a pending Future under a session key. The pending task record stores the expected device ID, but the completion path ignores that binding. If another authenticated peer device sends a forged TASK_END with the same session_id, the constellation accepts the response and completes the victim device's pending Future with attacker-controlled result data. This is an authenticated cross-device task-result injection issue.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
microsoft / ufo cpe:2.3:a:microsoft:ufo:3.0.1:*:*:*:*:*:*:*

References