CVE-2026-46414
Deferred Deferred - Pending Action
Microsoft UFO WebSocket Role Spoofing Vulnerability

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK message claiming client_type="constellation" and target_id=<victim-device-id>. The server trusts the role and target values from the wire message rather than enforcing the role registered for that WebSocket connection. As a result, any authenticated WebSocket client with the shared server token can spoof the higher-privilege constellation role and dispatch attacker-controlled tasks to another connected device. The same client registry also allows duplicate client_id registration, overwriting an existing live client's stored websocket, role, and task protocol. This is an authenticated WebSocket role/identity spoofing issue leading to peer task hijacking.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46414
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microsoft ufo 3.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Microsoft UFO open-source framework for intelligent automation. Specifically, in version 3.0.1-4-ge2626659, the WebSocket control plane trusts client-supplied identity and role fields in task messages without proper verification.

An authenticated WebSocket client can initially register as a normal device but later send a task message claiming a higher-privilege role ("constellation") and specify a target device ID. The server incorrectly trusts these role and target values from the message instead of enforcing the role assigned during connection registration.

As a result, an attacker with the shared server token can spoof a higher-privilege role and dispatch malicious tasks to other connected devices. Additionally, the client registry allows duplicate client_id registration, which can overwrite an existing live client's stored websocket, role, and task protocol, leading to peer task hijacking.

Impact Analysis

This vulnerability can have severe impacts including unauthorized task execution on connected devices by an attacker who spoofs a higher-privilege role.

An attacker can hijack peer tasks, potentially disrupting device operations, compromising device integrity, and causing denial of service or unauthorized actions.

Because the attacker must be an authenticated WebSocket client with the shared server token, the vulnerability allows privilege escalation and control over other devices within the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart