CVE-2026-46416
Microsoft UFO WebSocket Handler Information Disclosure
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | ufo | 3.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-488 | The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Microsoft UFO open-source framework version 3.0.1-4-ge2626659. The framework creates a single shared UFOWebSocketHandler instance that is reused for multiple authenticated WebSocket connections. This handler stores protocol objects for each connection in mutable instance fields. However, each new WebSocket connection overwrites these fields, causing message handlers to send responses through the shared fields rather than the protocol objects tied to the original connection. Consequently, the most recently connected authenticated client can receive protocol responses intended for another authenticated client.
How can this vulnerability impact me? :
This vulnerability can lead to information leakage between authenticated clients. Because responses meant for one client may be sent to another, sensitive or private data could be exposed to unauthorized users. This undermines the confidentiality and integrity of communications within the application using the Microsoft UFO framework.