CVE-2026-54568
Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to t
CVSS
4.3
Medium
EPSS
—
KEV
—
Exploit Today
0
0-100
Published: Jul 16, 2026 · Last modified: Jul 16, 2026 · CWE-639 · CWE-862
Not enough EPSS history yet.
Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to the UFO WebSocket server as a DEVICE could call DEVICE_INFO_REQUEST with another device's target_id and receive that device's server-side system_info through ufo/server/ws/handler.py, because handle_device_info_request and get_device_info did not enforce the constellation-only role or object-level authorization boundary. This issue is fixed in version 3.0.6.
- github.comhttps://github.com/microsoft/UFO/commit/2558da4e7dd05096aa6b489eca64efed96126713
- github.comhttps://github.com/microsoft/UFO/releases/tag/3.0.6
- github.comhttps://github.com/microsoft/UFO/security/advisories/GHSA-hc27-j4p9-qm2x
- github.comhttps://github.com/microsoft/UFO/security/advisories/GHSA-hc27-j4p9-qm2x