CVE-2026-46416: CWE-284: Improper Access Control in microsoft UFO
CVE-2026-46416 is an improper access control vulnerability in Microsoft UFO version 3. 0. 1-4-ge2626659. The issue arises because the framework uses a single shared WebSocket handler instance for multiple authenticated connections, storing per-connection protocol objects in mutable fields that get overwritten with each new connection. This causes responses intended for one authenticated client to be sent to another, potentially exposing sensitive data. The vulnerability has a CVSS score of 6. 3 (medium severity). No official patch or remediation guidance has been provided yet, and there are no known exploits in the wild.
AI Analysis
Technical Summary
Microsoft UFO, an open-source framework for intelligent automation, improperly manages WebSocket connections by reusing a single UFOWebSocketHandler instance across multiple authenticated clients. Mutable instance fields holding per-connection protocol objects are overwritten when new connections are established, leading to cross-connection data leakage where one client may receive responses meant for another. This is classified under CWE-284 (Improper Access Control) and CWE-488 (Exposure of Internal Implementation). The affected version is 3.0.1-4-ge2626659. The vulnerability is publicly known but lacks an official fix or patch at this time.
Potential Impact
The vulnerability can lead to unauthorized disclosure of protocol responses between authenticated clients, potentially exposing sensitive information across sessions. This compromises confidentiality and integrity to a limited extent, as indicated by the CVSS vector (Confidentiality: Low, Integrity: Low, Availability: Low). There is no evidence of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider limiting the use of affected versions or isolating WebSocket connections to prevent cross-client data leakage. Monitor official Microsoft UFO repositories and advisories for updates.
CVE-2026-46416: CWE-284: Improper Access Control in microsoft UFO
Description
CVE-2026-46416 is an improper access control vulnerability in Microsoft UFO version 3. 0. 1-4-ge2626659. The issue arises because the framework uses a single shared WebSocket handler instance for multiple authenticated connections, storing per-connection protocol objects in mutable fields that get overwritten with each new connection. This causes responses intended for one authenticated client to be sent to another, potentially exposing sensitive data. The vulnerability has a CVSS score of 6. 3 (medium severity). No official patch or remediation guidance has been provided yet, and there are no known exploits in the wild.
CVSS v3.1
Score 6.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Microsoft UFO, an open-source framework for intelligent automation, improperly manages WebSocket connections by reusing a single UFOWebSocketHandler instance across multiple authenticated clients. Mutable instance fields holding per-connection protocol objects are overwritten when new connections are established, leading to cross-connection data leakage where one client may receive responses meant for another. This is classified under CWE-284 (Improper Access Control) and CWE-488 (Exposure of Internal Implementation). The affected version is 3.0.1-4-ge2626659. The vulnerability is publicly known but lacks an official fix or patch at this time.
Potential Impact
The vulnerability can lead to unauthorized disclosure of protocol responses between authenticated clients, potentially exposing sensitive information across sessions. This compromises confidentiality and integrity to a limited extent, as indicated by the CVSS vector (Confidentiality: Low, Integrity: Low, Availability: Low). There is no evidence of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider limiting the use of affected versions or isolating WebSocket connections to prevent cross-client data leakage. Monitor official Microsoft UFO repositories and advisories for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T21:04:10.933Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a176dbbe29bf47b50f73d83
Added to database: 5/27/2026, 10:18:35 PM
Last enriched: 5/27/2026, 10:34:23 PM
Last updated: 5/27/2026, 11:22:46 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.