CVE-2026-46544
Microsoft UFO Session Replay Vulnerability
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | ufo | From 3.0.1 (inc) to 4-ge2626659 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Microsoft UFO open-source framework for intelligent automation. In versions 3.0.1-4-ge2626659, the framework accepts client-supplied session_id values in WebSocket task messages and reuses an existing in-memory session object if that session_id already exists.
If a prior session has completed but still remains in memory with its results, a different authenticated client can send a new TASK message using the same session_id. The server then re-enters the existing session object and sends the stale stored result to the new requester.
This creates an authenticated cross-client stale result replay issue, meaning that an attacker who knows or can predict a live or recently completed session_id can receive outdated or stale results from another user's session.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated attacker to access stale or outdated results from another user's session. This could lead to information disclosure where sensitive or confidential data from a previous session is exposed to an unauthorized client.
Since the attacker must be authenticated and know or predict a valid session_id, the risk is somewhat limited but still significant, especially if the stale results contain sensitive information.