CVE-2026-46538: CWE-294: Authentication Bypass by Capture-replay in microsoft UFO
CVE-2026-46538 is an authentication bypass vulnerability in Microsoft UFO version 3. 0. 1-4-ge2626659. The issue arises because the constellation client tracks pending task responses by session_id without verifying that the TASK_END message originates from the device that was originally assigned the task. This allows an authenticated peer device to send a forged TASK_END message with the same session_id, causing the constellation to accept the response and complete the victim device's pending task with attacker-controlled data. This vulnerability enables authenticated cross-device task-result injection.
AI Analysis
Technical Summary
Microsoft UFO's constellation client in version 3.0.1-4-ge2626659 tracks pending task responses solely by session_id and does not verify that the TASK_END message comes from the device originally assigned the task. Although the pending task record stores the expected device ID, the completion logic ignores this binding. Consequently, an authenticated peer device can forge a TASK_END message with a matching session_id, causing the constellation to accept the response and inject attacker-controlled result data into the victim device's pending task. This constitutes an authentication bypass via capture-replay, categorized under CWE-294 and CWE-345.
Potential Impact
The vulnerability allows an authenticated attacker with access to the constellation network to inject forged task completion messages for tasks assigned to other devices. This can lead to integrity violations by substituting legitimate task results with attacker-controlled data. The impact is limited to integrity compromise and partial availability degradation (low availability impact). Confidentiality is not affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is currently documented. Until a patch is available, restrict authenticated peer device access to trusted entities only and monitor for anomalous task completion messages if possible.
CVE-2026-46538: CWE-294: Authentication Bypass by Capture-replay in microsoft UFO
Description
CVE-2026-46538 is an authentication bypass vulnerability in Microsoft UFO version 3. 0. 1-4-ge2626659. The issue arises because the constellation client tracks pending task responses by session_id without verifying that the TASK_END message originates from the device that was originally assigned the task. This allows an authenticated peer device to send a forged TASK_END message with the same session_id, causing the constellation to accept the response and complete the victim device's pending task with attacker-controlled data. This vulnerability enables authenticated cross-device task-result injection.
CVSS v3.1
Score 5.9medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Microsoft UFO's constellation client in version 3.0.1-4-ge2626659 tracks pending task responses solely by session_id and does not verify that the TASK_END message comes from the device originally assigned the task. Although the pending task record stores the expected device ID, the completion logic ignores this binding. Consequently, an authenticated peer device can forge a TASK_END message with a matching session_id, causing the constellation to accept the response and inject attacker-controlled result data into the victim device's pending task. This constitutes an authentication bypass via capture-replay, categorized under CWE-294 and CWE-345.
Potential Impact
The vulnerability allows an authenticated attacker with access to the constellation network to inject forged task completion messages for tasks assigned to other devices. This can lead to integrity violations by substituting legitimate task results with attacker-controlled data. The impact is limited to integrity compromise and partial availability degradation (low availability impact). Confidentiality is not affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is currently documented. Until a patch is available, restrict authenticated peer device access to trusted entities only and monitor for anomalous task completion messages if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-14T20:42:31.368Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a176dbbe29bf47b50f73d86
Added to database: 5/27/2026, 10:18:35 PM
Last enriched: 5/27/2026, 10:34:14 PM
Last updated: 5/27/2026, 11:22:46 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.