CVE-2026-46416 MEDIUM

CVE-2026-46416: Microsoft UFO shared WebSocket handler state causes cross-client response hijacking

Vendor Microsoft
Product UFO
Weakness CWE-284
Published May 27, 2026
Last update May 28, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in mutable instance fields. Each new WebSocket connection overwrites those fields. Later, message handlers send responses through the shared fields instead of through protocol objects bound to the originating connection. As a result, the most recently connected authenticated client can receive protocol responses that belong to another authenticated client.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-47145 Unauthorized access on archived channels via file links CVE-2021-24198 wpDataTables < 3.4.2 - Improper Access Control leading to Table Data Deletion CVE-2023-20237 CVE-2024-10124 Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce <= 1.1.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation CVE-2024-25133 Openshift-dedicated: hive: rce through aws/kubernetes client configuration leads to privilege escalation