CVE-2026-46538

Name of the Vulnerable Software and Affected Versions Microsoft UFO version 3.0.1-4-ge2626659

Description The constellation client in this open-source framework for intelligent automation tracks pending task responses using only the session id and fails to verify if a TASK END message originated from the device that initially received the task. While the pending task record includes the expected device ID, the completion path ignores this binding. Consequently, an authenticated peer device can send a forged TASK END message with a matching session id, leading the constellation to accept the response and complete the victim device's pending Future with attacker-controlled result data. This results in an authenticated cross-device task-result injection.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.