Microsoft UFO is an open-source framework for intelligent automation. In version 3.0.1-4-ge2626659, the system accepts client-supplied session_id values in WebSocket task messages and reuses existing in-memory session objects if the session_id matches. If a session has completed but remains in memory with results, another authenticated client can send a TASK message with the same session_id and receive stale stored results via the normal send_task_end() callback. This constitutes an authorization bypass vulnerability (CWE-639) because it allows cross-client access to data from a different session. The vulnerability requires low privileges but high attack complexity due to the need to know or predict session_ids.

An authenticated attacker who can guess or know a valid session_id from a live or recently completed session can access stale results from that session. This leads to unauthorized disclosure of potentially sensitive information. There is no impact on integrity or availability reported. The CVSS score is 5.3 (medium), reflecting network attack vector, high attack complexity, low privileges required, no user interaction, and high confidentiality impact.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or workaround is currently documented. Until a patch is available, restrict access to authenticated clients and consider monitoring session_id management to prevent reuse. Avoid sharing or exposing session_ids externally. Follow vendor updates for any forthcoming patches or mitigations.