CVE-2026-46414

Name of the Vulnerable Software and Affected Versions Microsoft UFO version 3.0.1-4-ge2626659

Description The WebSocket control plane trusts client-supplied identity and role fields in task messages. An authenticated WebSocket client with a shared server token can register as a normal device and subsequently send a TASK message claiming client type="constellation" and a specific target id. Because the server relies on the role and target values provided in the message instead of the role registered to the connection, a client can spoof the higher-privilege constellation role to dispatch controlled tasks to another connected device. Additionally, the client registry permits duplicate client id registration, which allows an attacker to overwrite a live client's stored websocket, role, and task protocol, leading to peer task hijacking.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.