← back
CVE-2026-46402

Microsoft UFO uses untrusted task_name in log paths, allowing authenticated path traversal and log file creation outside the logs directory

CVSS 8.1 HIGHEPSS 0.7%CWE-22CWE-73
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.1EPSS 0.7%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
27 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing session log paths. An authenticated client can supply path traversal sequences in task_name and cause UFO to create log directories and log files outside the intended logs/ directory.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Affected products
microsoft · UFO

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/microsoft/UFO/security/advisories/GHSA-whcg-fgpx-76f2