How is CVE-2026-46402 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker sends a crafted task_name value to the remotely exposed UFO endpoint. Authentication (required): A valid account is needed to reach the log-path construction logic, though any low-privilege account is sufficient. Victim interaction (not-required): No user action or social engineering is needed; the attacker submits the malicious request directly. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors are required.

What is the impact of CVE-2026-46402?

Attacker creates arbitrary directories and log files at any filesystem path the UFO process has write access to, bypassing the intended logs/ directory boundary. Attacker overwrites or pollutes existing files outside the log directory if the process has sufficient permissions, corrupting application or system state. Repeated or large-scale log writes to unexpected locations fill disk space on sensitive partitions, crashing the affected service or co-located services that depend on that storage.

Back to search

HIGHCVE-2026-46402Published 2026-05-27Modified 2026-05-30CNA GitHub_M

CVE-2026-46402: Microsoft UFO uses untrusted task_name in log paths, allowing authenticated path traversal and log file creation outside the logs directory

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing session log paths. An authenticated client can supply path traversal sequences in task_name and cause UFO to create log directories and log files outside the intended logs/ directory.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Path traversal vulnerability in Microsoft UFO, an open-source intelligent automation framework, allows an authenticated attacker to supply directory traversal sequences (such as "../") in the task_name parameter, which UFO uses without sanitization when constructing session log paths. The attack is reachable over the network and requires only a low-privilege account; no victim interaction is needed. Successful exploitation lets the attacker create arbitrary directories and log files outside the intended logs/ directory, tampering with the filesystem and potentially disrupting service. No fix version has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as upstream ships one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Microsoft UFO. Any image found running the affected version (3.0.1-4-ge2626659) is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. Where compliance policy permits, customers with auto-remediation enabled will automatically receive the rebuilt image, a regression-test run, and a PR opened against affected workloads as soon as the upstream patch lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker sends a crafted task_name value to the remotely exposed UFO endpoint.
AuthenticationRequired
A valid account is needed to reach the log-path construction logic, though any low-privilege account is sufficient.
Victim interactionNot required
No user action or social engineering is needed; the attacker submits the malicious request directly.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors are required.

Blast Radius

Attacker creates arbitrary directories and log files at any filesystem path the UFO process has write access to, bypassing the intended logs/ directory boundary.
Attacker overwrites or pollutes existing files outside the log directory if the process has sufficient permissions, corrupting application or system state.
Repeated or large-scale log writes to unexpected locations fill disk space on sensitive partitions, crashing the affected service or co-located services that depend on that storage.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-46402, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment Microsoft publishes a fix. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point, subject to each environment's compliance policy. In the interim, compensating controls worth evaluating include network-policy isolation that restricts which clients can reach the UFO service, filesystem-level restrictions (read-only mounts or reduced write permissions for the UFO process user) to limit where log files can be created, and input-validation or reverse-proxy rules that reject task_name values containing traversal sequences before they reach the application. HarborGuard will surface the patched rebuild as soon as upstream availability is confirmed.

See how HarborGuard automates this

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

microsoft / UFO
3.0.1-4-ge2626659

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

https://github.com/microsoft/UFO/security/advisories/GHSA-whcg-fgpx-76f2