A high-severity path traversal vulnerability in Microsoft’s UFO AI automation framework allows authenticated attackers to write log files anywhere on the server filesystem, and no patch exists yet.
Security researchers have disclosed a critical path traversal vulnerability in Microsoft’s UFO (UI-Focused Orchestration) framework, tracked as CVE-2026-46402 (GHSA-whcg-fgpx-76f2), affecting version v3.0.1-4-ge2626659.
Discovered by security researcher beanduan22 and published by rhmsd approximately two weeks ago, the flaw carries a CVSS v3.1 score of 8.1 (High), with integrity and availability rated at maximum impact. As of publication, no patched version has been released.
Microsoft UFO is an open-source, AI-powered desktop automation framework distributed as a Python package via pip. It uses large language models to automate Windows GUI tasks and accepts task requests through both WebSocket and HTTP endpoints.
Its architecture allows clients to submit named tasks to a central UFO server, which then manages session lifecycle, orchestrates agents, and logs activity to a designated logs/ directory.
The root cause lies in how UFO constructs filesystem paths for session logging. When a client submits a task, the server accepts a user-supplied task_name parameter through both WebSocket (ufo/server/ws/handler.py) and HTTP (ufo/server/services/api.py) endpoints.
This value is passed without sanitization directly into the session creation pipeline via session_manager.py. Inside BaseSession (located in ufo/module/basic.py), the log path is assembled using a simple f-string:
self.log_path = f"logs/{task}/"The helper function create_folder() in ufo/utils/__init__.py then calls os.makedirs() on this path again, with no validation. UFO subsequently opens response.log, request.log, and evaluation.log under this attacker-influenced path.
An attacker can supply a traversal payload such as ../ufo_taskname_escape_poc as the task_name, causing the effective log directory to resolve outside the intended logs/ directory on the underlying filesystem.
Since session content is written into these files, the attacker gains indirect control over file creation and log writes at arbitrary filesystem paths under the privileges of the UFO server process.
Researcher beanduan22 published a working embedded PoC that instantiates a minimal subclass of the real BaseSession with a traversal payload. The confirmed output demonstrates that:
- The
log_pathresolves tologs/../ufo_taskname_escape_poc/ - The escaped path resolves fully outside
/path/to/UFO/logs - All three log files (
response.log,request.log,evaluation.log) are created at the escaped location
The PoC prints the decisive confirmation: “HIT: task_name traversal escaped logs/ and created files outside the intended log directory.”
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-46402 |
| GHSA | GHSA-whcg-fgpx-76f2 |
| Package | microsoft/UFO (pip) |
| Affected Version | v3.0.1-4-ge2626659 |
| Patched Version | None |
| CVSS Score | 8.1 (High) |
| CVSS Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
| CWE | CWE-22 (Path Traversal), CWE-73 (External Control of File Name or Path) |
| Attack Vector | Network |
| Privileges Required | Low |
Any authenticated client with task submission access to a UFO server can exploit this vulnerability. While UFO’s internal fixes the three log filenames, the parent directory is entirely attacker-controlled. Potential impact includes:
- Creation of unexpected directories at arbitrary filesystem locations
- Appending attacker-influenced content to files outside the log root
- Clobbering or polluting operational files if the UFO server process runs with broad write permissions
- Undermining log integrity assumptions relied upon by monitoring and audit systems
- Potential availability disruption if critical system directories are polluted with log data
The vulnerability’s network-accessible attack vector combined with low privilege requirements makes it particularly dangerous in multi-tenant or shared deployment environments.
Mitigations
Since no official patch exists, defenders should apply the following hardening measures immediately:
- Reject unsafe task_name values — block inputs containing
.., path separators (/,\), absolute paths, or drive prefixes likeC:\ - Use opaque server-generated names for log directories and store user-facing task labels only as metadata
- Validate resolved paths before creation — resolve the candidate path and confirm it remains under the intended log root using startswith checks
- Enforce an allowlist for filesystem-facing identifiers, permitting only
[a-zA-Z0-9._-]characters - Apply the principle of least privilege — run the UFO server process under an account with minimal filesystem write permissions.
- Add regression tests covering WebSocket and HTTP paths with payloads like
../escape,/absolute/path, and..%2fescape
Organizations running UFO in server mode should treat this as an active risk until an official patch lands.
FAQ
Q1: What is CVE-2026-46402?
It is a high-severity path traversal vulnerability in Microsoft’s UFO AI automation framework that allows authenticated attackers to create log files outside the intended logs/ directory by injecting traversal sequences into the task_name parameter.
Q2: Is there a patch available for CVE-2026-46402?
No, as of May 30, 2026, Microsoft has not released a patched version, making manual input validation and filesystem hardening the only available mitigations.
Q3: Who is affected by this vulnerability?
Any organization or developer running Microsoft UFO in server mode (via WebSocket or HTTP endpoints) that allows authenticated clients to submit task requests is potentially affected.
Q4: How can I verify if my UFO deployment is vulnerable?
Check whether your deployment uses version v3.0.1-4-ge2626659 and accepts external task_name values without sanitization the published PoC script by beanduan22 can confirm exploitation in a controlled test environment.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
