Authenticated Cross-Device Task-Result Injection in Microsoft UFO Framework
CVE-2026-46538

5.9MEDIUM

Key Information:

Vendor: Microsoft
Status: Ufo
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-46538?

Microsoft UFO, an open-source framework designed for intelligent automation across multiple devices and platforms, is affected by a vulnerability that allows for authenticated cross-device task-result injection. In version 3.0.1-4-ge2626659, the constellation client tracks pending task responses using a session_id but fails to ensure that the TASK_END message originates from the device that initially received the task. This oversight means that if an authenticated peer device sends a forged TASK_END message with the correct session_id, the constellation client could mistakenly accept this forged response. As a result, it would complete a pending task with potentially malicious data controlled by the attacker, leading to unauthorized actions and data manipulation across devices.

Affected Version(s)

UFO 3.0.1-4-ge2626659

References

https://github.com/microsoft/UFO/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46538 Data

JSON