Authenticated WebSocket Role Spoofing Vulnerability in Microsoft UFO Framework
CVE-2026-46414

8.8HIGH

Key Information:

Vendor: Microsoft
Status: Ufo
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-46414?

The Microsoft UFO open-source framework for intelligent automation is susceptible to a significant vulnerability due to its WebSocket control plane's improper handling of client-supplied identity and role fields. This flaw allows an authenticated WebSocket client with a shared server token to impersonate a higher-privilege role, specifically 'constellation', which leads to the potential hijacking of tasks intended for other connected devices. The vulnerability can be exploited when a client connection initially registers as a standard device yet is capable of sending deceptive TASK messages, thus overriding legitimate identities and roles. Furthermore, the client registry mechanism enables duplicate client identifier registrations, which can compromise the security of existing connections by overwriting essential control parameters.

Affected Version(s)

UFO 3.0.1-4-ge2626659

References

https://github.com/microsoft/UFO/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-46414 Data

JSON