CVE-2026-46416

Name of the Vulnerable Software and Affected Versions Microsoft UFO version 3.0.1-4-ge2626659

Description Microsoft UFO creates a single shared UFOWebSocketHandler instance that is reused across multiple authenticated WebSocket connections. The handler stores protocol objects for each connection in mutable instance fields, which are overwritten whenever a new WebSocket connection is established. Consequently, message handlers transmit responses via these shared fields rather than using the protocol objects linked to the original connection. This allows the most recently connected authenticated client to receive protocol responses intended for other authenticated clients.

Recommendations For version 3.0.1-4-ge2626659, at the moment, there is no information about a newer version that contains a fix for this vulnerability.