OS Command Injection Vulnerability in Microsoft UFO Framework
CVE-2026-45322

7.8HIGH

Key Information:

Vendor: Microsoft
Status: Ufo
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-45322?

The Microsoft UFO framework is susceptible to an OS command injection vulnerability affecting versions up to v3.0.0. This flaw arises when the ShellReceiver.run_shell() method directly passes command strings from action parameters to subprocess.Popen() with shell=True. Additionally, this vulnerability can be exploited via the ShellReceiver.execute_command() method. An attacker with the ability to write or modify a session action JSON file can implant malicious shell commands that are executed upon session resume or action replay. This poses considerable risks, as the compromised commands execute in the context of the UFO process user's privileges, potentially leading to unauthorized actions within the system.

Affected Version(s)

UFO <= 3.0.0

References

https://github.com/microsoft/UFO/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 11, 2026

CVE-2026-45322 Data

JSON