CVE-2026-54568 in UFOinfo

Summary

by MITRE • 07/16/2026

Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to the UFO WebSocket server as a DEVICE could call DEVICE_INFO_REQUEST with another device's target_id and receive that device's server-side system_info through ufo/server/ws/handler.py, because handle_device_info_request and get_device_info did not enforce the constellation-only role or object-level authorization boundary. This issue is fixed in version 3.0.6.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The Microsoft UFO framework represents an open-source intelligent automation solution designed to facilitate cross-device and cross-platform operations through a WebSocket-based communication protocol. This framework enables devices to establish connections and communicate within a distributed system environment where various components can interact seamlessly. The vulnerability under examination affects versions 3.0.0 through 3.0.6 of this framework, specifically targeting the device management and information retrieval mechanisms that govern how connected entities communicate with each other.

The core technical flaw resides in the insufficient authorization controls implemented within the WebSocket server component of UFO. When a client device connects to the UFO server and assumes the DEVICE role, it gains access to certain operational capabilities including the ability to request device information from other connected entities. The vulnerability stems from the lack of proper role-based access control enforcement in the handle_device_info_request function located in ufo/server/ws/handler.py. This function processes requests for device information without validating whether the requesting device has legitimate authorization to access the target device's system information, as defined by the constellation-only role or object-level authorization boundaries.

The operational impact of this vulnerability is significant as it creates an information disclosure risk that could potentially allow malicious actors to gather sensitive system information from other devices within the same UFO network. An attacker who gains access to a DEVICE client connection could exploit this flaw by sending a DEVICE_INFO_REQUEST message with any valid target_id parameter, thereby retrieving system_info data from other connected devices without proper authorization. This breach of object-level security boundaries violates fundamental principles of information assurance and could enable further attacks such as reconnaissance for privilege escalation or lateral movement within the network.

This vulnerability aligns with CWE-285 (Improper Authorization) and represents a classic example of insufficient access control validation in distributed systems. From an adversarial perspective, this issue maps to ATT&CK technique T1083 (File and Directory Discovery) and potentially T1590 (Cloud Infrastructure Discovery) when considering the broader implications for device enumeration within automated environments. The fix implemented in version 3.0.6 addresses this by enforcing proper role validation and authorization boundaries, ensuring that device information requests can only be processed when appropriate permissions are verified.

The remediation approach requires implementing strict object-level authorization checks before allowing any device information retrieval operations. This involves validating that the requesting device's role and permissions align with the target device's access control policies, particularly enforcing the constellation-only role constraints that prevent unauthorized cross-device information access. Security practitioners should ensure all UFO deployments are updated to version 3.0.6 or later to mitigate this exposure. Organizations using this framework should also consider implementing additional network segmentation controls and monitoring for anomalous device information requests that might indicate exploitation attempts, as proper authorization enforcement is critical for maintaining the security posture of distributed automation systems.

Responsible

GitHub M

Reservation

06/15/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!