Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
Key Takeaways Ubiquiti has revealed 25 new security vulnerabilities impacting its UniFi product line, with two critical flaws scoring 9.9 and 10.0 on the CVSS v3.1 scale. The vulnerabilities affect a...
Key Takeaways
- Ubiquiti has revealed 25 new security vulnerabilities impacting its UniFi product line, with two critical flaws scoring 9.9 and 10.0 on the CVSS v3.1 scale.
- The vulnerabilities affect a broad range of UniFi products, including UniFi Connect, Talk, Access, Protect, Network Application, and the core UniFi OS platform on UDM, UNVR, and UNAS devices.
- The most severe vulnerability, CVE-2026-50746, allows unauthenticated command injection via network access.
- All identified issues have patches available, and administrators are urged to update affected systems immediately.
Ubiquiti has issued Security Advisory Bulletin 066, detailing 25 security vulnerabilities across its UniFi ecosystem. Among these are several critical flaws, rated as high as 10.0 on the CVSS v3.1 scale, which could enable network-based attackers to achieve complete device compromise without authentication.
Table Of Content
The extensive advisory covers numerous UniFi product lines, including UniFi Connect, Talk, Access, Protect, and the UniFi Network Application. It also impacts the foundational UniFi OS platform, which underpins UDM, UNVR, and UNAS device families. This disclosure follows a series of critical remote privilege escalation vulnerabilities on the UniFi OS platform that Ubiquiti addressed last month.
Critical Vulnerabilities Detailed
The most severe vulnerability identified is CVE-2026-50746, which has received a perfect CVSS score of 10.0. This flaw, an Improper Access Control issue within the UniFi Connect Application (versions 3.4.16 and earlier), allows any attacker with network adjacency to execute command injection without requiring any form of authentication.
Two other highly critical vulnerabilities, CVE-2026-50747 and CVE-2026-50748, each received a CVSS score of 9.9. CVE-2026-50747 involves an authenticated SQL injection flaw in UniFi Talk, while CVE-2026-50748 describes a command injection vulnerability in UniFi Access. Both of these vulnerabilities could be exploited by low-privileged network users to escalate their access to full control over the affected systems.
Further critical-tier bugs include CVE-2026-54402, another command injection vulnerability in UniFi OS with a 9.9 CVSS score, and CVE-2026-55115, an SSRF-driven privilege escalation flaw in UniFi Protect, also rated 9.9. Rounding out the critical category is CVE-2026-54400, a privilege escalation vulnerability in UniFi Access that scored 9.1 but requires high privileges for exploitation.
Of particular concern is CVE-2026-55116, an Improper Access Control vulnerability rated 9.0. This flaw affects UDM, UDM-Pro, UDM-SE, and other related gateway hardware, potentially allowing unauthorized configuration changes under specific network conditions.
High-Severity and Chained Attack Paths
Several high-severity issues have been identified that could facilitate chained attack paths. CVE-2026-54403, an 8.6-rated path traversal bug in UniFi OS, is explicitly highlighted by Ubiquiti as a potential component in attacks designed to bypass low-privilege access requirements when combined with other vulnerabilities.
Similarly, CVE-2026-54401 (7.7) is an SSRF flaw impacting the UniFi OS Server and the UDM family, which can lead to privilege escalation. Another high-severity issue, CVE-2026-54404 (8.8), leverages authenticated SQL injection for similar privilege escalation outcomes.
The UniFi Protect Application is affected by a cluster of high-impact vulnerabilities. These include two authentication bypass issues, CVE-2026-54407 and CVE-2026-54408, both rated 8.6, which affect API endpoints and data streaming. Additionally, a SQL injection flaw, CVE-2026-56841 (8.8), could allow privilege escalation on the host device running UniFi Protect.
Affected Products and Fixed Versions
| Product | Vulnerable Version | Patched Version |
|---|---|---|
| UniFi Connect Application | 3.4.16 and earlier | 3.4.20+ |
| UniFi Talk Application | 5.1.2 and earlier | 5.2.2+ |
| UniFi Access Application | 4.2.28 and earlier | 4.2.29+ |
| UniFi Network Application | 10.3.58 and earlier | 10.4.57+ |
| UniFi Protect Application | 7.1.77 and earlier | 7.1.83+ |
| UniFi Protect Floodlight | 1.13.4 and earlier | 1.13.6+ |
| UniFi OS (UDM/UNVR/UNAS family) | 5.1.15–5.1.18 and earlier | 5.1.19+ |
The bulletin credits a diverse group of independent researchers for their contributions. Abdulaziz Almadhi of Catchify Security is specifically recognized for identifying six separate CVEs across the Access, Talk, and Protect applications. Brandon Rossi is credited with four findings impacting UniFi Protect and Access, while Duc Anh Nguyen and Garett Kopcha each contributed two disclosures related to flaws in Connect, Talk, and Network Applications.
| CVE ID | Affected Product | Vulnerable Version | Fixed Version | Vulnerability Type | CVSS Score | Severity |
|---|---|---|---|---|---|---|
| CVE-2026-50746 | UniFi Connect Application | 3.4.16 and earlier | 3.4.20+ | Improper Access Control | 10.0 | Critical |
| CVE-2026-50747 | UniFi Talk Application | 5.1.2 and earlier | 5.2.2+ | SQL Injection | 9.9 | Critical |
| CVE-2026-50748 | UniFi Access Application | 4.2.28 and earlier | 4.2.29+ | Improper Input Validation | 9.9 | Critical |
| CVE-2026-54400 | UniFi Access Application | 4.2.28 and earlier | 4.2.29+ | Improper Access Control | 9.1 | Critical |
| CVE-2026-54401 | UniFi OS (UDM/UNVR/UNAS family) | 5.1.15–5.1.18 and earlier | 5.1.19+ | SSRF | 7.7 | High |
| CVE-2026-54402 | UniFi OS (UDM/UNVR/UNAS family) | 5.1.15–5.1.18 and earlier | 5.1.19+ | Improper Input Validation | 9.9 | Critical |
| CVE-2026-54403 | UniFi OS (UDM/UNVR/UNAS family) | 5.1.15–5.1.18 and earlier | 5.1.19+ | Path Traversal | 8.6 | High |
| CVE-2026-54404 | UniFi OS (UDM/UNVR/UNAS family) | 5.1.15–5.1.18 and earlier | 5.1.19+ | SQL Injection | 8.8 | High |
| CVE-2026-54405 | UniFi Network Application | 10.3.58 and earlier | 10.4.57+ | Improper Input Validation (DoS) |



No Comment! Be the first one.