CVE-2026-46402: Path Traversal in Microsoft UFO Framework – Patch Guidance
Microsoft UFO, an open-source framework for intelligent automation, contains a path traversal vulnerability in version 3.0.1-4-ge2626659. An authenticated user can manipulate task names to write log files and directories outside the intended logs directory, potentially overwriting critical files or gaining unauthorized file system access on the affected system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
- Weaknesses (CWE)
- CWE-22, CWE-73
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-27 / 2026-06-17
NVD description (verbatim)
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing session log paths. An authenticated client can supply path traversal sequences in task_name and cause UFO to create log directories and log files outside the intended logs/ directory.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46402 is a path traversal vulnerability (CWE-22, CWE-73) in Microsoft UFO's session logging mechanism. The framework fails to sanitize the user-supplied task_name parameter before using it to construct file system paths for session logs. An authenticated attacker can inject path traversal sequences (such as ../ or absolute paths) into task_name to escape the logs/ directory and write or modify arbitrary files on the system, subject to the privileges of the UFO process.
Business impact
Organizations using UFO for automated workflows face risk of data integrity compromise, potential denial of service through filesystem exhaustion, and confidentiality loss if sensitive configuration or state files are overwritten. In multi-tenant or shared environments, this could enable lateral privilege escalation or cross-tenant interference. The impact depends on the process's file system privileges and what sensitive data resides on the same system.
Affected systems
Microsoft UFO framework version 3.0.1-4-ge2626659 is explicitly affected. Organizations should audit their UFO deployments to determine current version status. The vulnerability requires authentication, so only systems exposed to trusted internal users or accessible via authentication credentials are at risk.
Exploitability
Exploitation requires valid authentication credentials to interact with UFO—this is a low barrier for insider threats or compromised service accounts. No complex interaction or user interaction is needed; an authenticated client can immediately craft a malicious task_name and trigger file creation or modification. The attack is network-accessible, making it suitable for exploitation by remote authenticated users.
Remediation
Update Microsoft UFO to a patched version that sanitizes the task_name parameter before constructing log file paths. Verify the specific patched version against the Microsoft Security Advisory for UFO. Until patching is complete, restrict UFO access to trusted accounts and monitor log directory creation and file system activity for unexpected paths.
Patch guidance
Consult the official Microsoft UFO GitHub repository or security advisory for the specific patched version. Apply the update to all systems running version 3.0.1-4-ge2626659. Verify that the patch properly validates and sanitizes task_name input, rejecting or escaping path traversal sequences. Test in a non-production environment before rolling out to production automation workflows.
Detection guidance
Monitor UFO process file system activity for writes outside the intended logs/ directory, especially following task submission requests. Log aggregation rules should flag task_name parameters containing ../, absolute paths (/), or unusual encoding patterns. Review UFO session logs and filesystem audit logs for unexpected directory creation or file modifications that correlate with task execution events.
Why prioritize this
This vulnerability scores 8.1 (HIGH) due to high integrity and availability impact combined with low attack complexity and network accessibility. Although authentication is required, the ability to write arbitrary files on an authenticated system poses significant risk in automation-critical environments. Organizations relying on UFO for business-critical processes should prioritize patching.
Risk score, explained
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H yields 8.1 HIGH. Network accessibility (AV:N) and low attack complexity (AC:L) increase risk; the low privilege requirement (PR:L) reflects that any authenticated user can exploit it. The high integrity impact (I:H) and high availability impact (A:H) reflect the severity of uncontrolled file write capability, while confidentiality is unaffected (C:N).
Frequently asked questions
Does this vulnerability require special privileges or exploits to trigger?
No. Any authenticated user with network access to UFO can exploit it by submitting a task with a crafted task_name containing path traversal sequences. No additional tools or privilege escalation are needed.
Can this be exploited over the network?
Yes, if UFO is exposed to network clients (authenticated or over a network service). The vulnerability is network-accessible provided the attacker has valid authentication credentials.
What should we do if we cannot patch immediately?
Restrict access to UFO to a minimal set of trusted accounts, implement network segmentation if UFO runs on a shared system, and enable detailed logging and monitoring of file system operations around the logs directory. Monitor for suspicious task names or unexpected file creation patterns.
How can we detect if someone has exploited this?
Look for log files or directories created outside the logs/ directory with timestamps correlating to UFO task submissions. Examine task_name parameters in UFO request logs for path traversal patterns (../, /, etc.). File system audit logs (auditd on Linux, Windows Event Log on Windows) should show unexpected file writes by the UFO process user.
This analysis is provided for educational and defensive security purposes. The vulnerability details and patch status should be verified against official Microsoft Security Advisories and the Microsoft UFO GitHub repository. Organizations should conduct their own risk assessment based on their specific deployment and use of Microsoft UFO. This intelligence does not constitute legal, compliance, or vendor-specific guidance; consult your internal security and compliance teams and Microsoft support for deployment-specific recommendations. Source: NVD (public-domain), retrieved 2026-07-06. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41412MEDIUMalf.io Extension Sandbox File Read Vulnerability
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-10694HIGHRemote File Inclusion in SourceCodester Online Food Ordering System 2.0
- CVE-2026-32847HIGHDeepCode Path Traversal Allows Unauthenticated Arbitrary File Read
- CVE-2026-35076HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability
- CVE-2026-35077HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability (CVSS 8.1)