Microsoft UFO open-source framework for intelligent automation across devices and platforms. Prior to 3.0.7, the COMMANDRESULTS handler in ufo/server/ws/handler.py called getorcreatesession in ufo/server/services/sessionmanager.py without ownerclientid, allowing an authenticated client to create an unowned attacker-chosen sessionid such as constellationtaskid = f"{taskname}@{taskid}" and deny the legitimate owner or exhaust memory with phantom sessions. This issue is fixed in version 3.0.7.
{
"cwe_ids": [
"CWE-400",
"CWE-862"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55440.json",
"cna_assigner": "GitHub_M"
}