Authenticated Cross-Client Result Replay in Microsoft UFO Framework
CVE-2026-46544

5.3MEDIUM

Key Information:

Vendor: Microsoft
Status: Ufo
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-46544?

The Microsoft UFO framework contains a vulnerability where the framework accepts client-supplied session_id values in WebSocket task messages. When an existing in-memory session object matches the session_id of a previously completed session, it can be reused without validating the origin of the request. This allows an attacker, equipped with knowledge of a valid session_id, to exploit the system by sending a TASK message and receiving stale results from prior sessions. This flaw poses significant risks as unauthorized clients could retrieve data meant for other users.

Affected Version(s)

UFO 3.0.1-4-ge2626659

References

https://github.com/microsoft/UFO/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46544 Data

JSON