CVE-2026-46544

Name of the Vulnerable Software and Affected Versions Microsoft UFO version 3.0.1-4-ge2626659

Description Microsoft UFO is an open-source framework for intelligent automation across devices and platforms. The software accepts client-supplied session id values in WebSocket task messages and reuses an existing in-memory session object if that session id already exists. If a prior session has completed and remains in memory with populated results, a different authenticated client can send a new TASK message using the same session id. The server then re-enters the existing session object and sends the stale stored result to the new requester through the send task end() callback path. This results in an authenticated cross-client stale result replay, which requires the attacker to know or predict a live or recently completed session id.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.