Ubiquiti Disclosed 25 Security Vulnerabilities Across the UniFi Ecosystem

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Ubiquiti has disclosed 25 security vulnerabilities affecting its UniFi ecosystem in Security Advisory Bulletin 066, including several critical flaws rated 9.9 and 10.0 on the CVSS v3.1 scale that could allow network-based attackers to fully compromise devices.

The advisory spans UniFi Connect, Talk, Access, Protect, Network Application, and the core UniFi OS platform running on UDM, UNVR, and UNAS device families.

Last month, Ubiquiti patched a series of Critical vulnerabilities that allowed remote privilege escalation on its UniFi OS platform.

The most severe issue, CVE-2026-50746, carries a perfect 10.0 score and stems from an Improper Access Control flaw in UniFi Connect Application (version 3.4.16 and earlier), letting any network-adjacent attacker execute command injection without authentication.

Close behind, CVE-2026-50747 and CVE-2026-50748 each scored 9.9: CVE-2026-50747 involved authenticated SQL injection in UniFi Talk, and CVE-2026-50748 involved command injection in UniFi Access; both were exploitable by low-privileged network users to escalate to full control.

Additional 9.9-rated bugs include CVE-2026-54402 (command injection in UniFi OS) and CVE-2026-55115 (SSRF-driven privilege escalation in UniFi Protect), while CVE-2026-54400 rounds out the critical tier at 9.1 with a privilege-escalation flaw in UniFi Access that requires high privileges.

A notably dangerous entry is CVE-2026-55116, a 9.0-rated Improper Access Control vulnerability affecting UDM, UDM-Pro, UDM-SE, and related gateway hardware, which permits unauthorized configuration changes under certain network conditions.

Several high-severity issues involve chainable attack paths. CVE-2026-54403, an 8.6-rated path traversal bug in UniFi OS, is explicitly flagged by Ubiquiti as capable of being combined with other vulnerabilities to bypass the low-privilege access requirement entirely.

Similarly, CVE-2026-54401 (7.7) is an SSRF flaw across the UniFi OS Server and UDM family enabling privilege escalation, while CVE-2026-54404 (8.8) exploits authenticated SQL injection to the same effect .

The UniFi Protect Application accounts for a cluster of high-impact findings, including two authentication bypass issues (CVE-2026-54407 and CVE-2026-54408, both 8.6) affecting API endpoints and data streaming, plus a SQL injection flaw (CVE-2026-56841, 8.8) that enables privilege escalation on the host device.

Affected Products and Fixed Versions

Product Vulnerable Version Patched Version
UniFi Connect Application 3.4.16 and earlier 3.4.20+
UniFi Talk Application 5.1.2 and earlier 5.2.2+
UniFi Access Application 4.2.28 and earlier 4.2.29+
UniFi Network Application 10.3.58 and earlier 10.4.57+
UniFi Protect Application 7.1.77 and earlier 7.1.83+
UniFi Protect Floodlight 1.13.4 and earlier 1.13.6+
UniFi OS (UDM/UNVR/UNAS family) 5.1.15–5.1.18 and earlier 5.1.19+

The bulletin credits a wide pool of independent researchers, with Abdulaziz Almadhi of Catchify Security identified across six separate CVEs spanning Access, Talk, and Protect applications.

Brandon Rossi is credited with four findings affecting UniFi Protect and Access, while Duc Anh Nguyen and Garett Kopcha each contributed two disclosures involving Connect, Talk, and Network Application flaws .

CVE ID Affected Product Vulnerable Version Fixed Version Vulnerability Type CVSS Score Severity
CVE-2026-50746 UniFi Connect Application 3.4.16 and earlier 3.4.20+ Improper Access Control 10.0 Critical
CVE-2026-50747 UniFi Talk Application 5.1.2 and earlier 5.2.2+ SQL Injection 9.9 Critical
CVE-2026-50748 UniFi Access Application 4.2.28 and earlier 4.2.29+ Improper Input Validation 9.9 Critical
CVE-2026-54400 UniFi Access Application 4.2.28 and earlier 4.2.29+ Improper Access Control 9.1 Critical
CVE-2026-54401 UniFi OS (UDM/UNVR/UNAS family) 5.1.15–5.1.18 and earlier 5.1.19+ SSRF 7.7 High
CVE-2026-54402 UniFi OS (UDM/UNVR/UNAS family) 5.1.15–5.1.18 and earlier 5.1.19+ Improper Input Validation 9.9 Critical
CVE-2026-54403 UniFi OS (UDM/UNVR/UNAS family) 5.1.15–5.1.18 and earlier 5.1.19+ Path Traversal 8.6 High
CVE-2026-54404 UniFi OS (UDM/UNVR/UNAS family) 5.1.15–5.1.18 and earlier 5.1.19+ SQL Injection 8.8 High
CVE-2026-54405 UniFi Network Application 10.3.58 and earlier 10.4.57+ Improper Input Validation (DoS) 7.5 High
CVE-2026-54406 UniFi Network Application 10.3.58 and earlier 10.4.57+ Path Traversal 8.7 High
CVE-2026-54407 UniFi Protect Application 7.1.77 and earlier 7.1.83+ Improper Access Control 8.6 High
CVE-2026-54408 UniFi Protect Application 7.1.77 and earlier 7.1.83+ Improper Access Control 8.6 High
CVE-2026-54409 UniFi Protect Application 7.1.77 and earlier 7.1.83+ Improper Initialization 7.5 High
CVE-2026-55110 UniFi OS (UDM/UNVR/UNAS family) 5.1.15–5.1.18 and earlier 5.1.19+ CORS Misconfiguration 7.5 High
CVE-2026-55111 UniFi Protect Floodlight 1.13.4 and earlier 1.13.6+ Path Traversal 7.5 High
CVE-2026-55112 UniFi OS + Protect (UDM-Pro etc.) 5.1.15 and earlier 5.1.19+ Improper Access Control 7.5 High
CVE-2026-55113 UniFi Talk Application 5.1.2 and earlier 5.2.2+ SSRF 7.5 High
CVE-2026-55114 UniFi Network Application 10.3.58 and earlier 10.4.57+ Improper Access Control 8.8 High
CVE-2026-55115 UniFi Protect Application 7.1.77 and earlier 7.1.83+ SSRF 9.9 Critical
CVE-2026-55116 UniFi OS (UDM/gateway family) 5.1.15–5.1.18 and earlier 5.1.19+ Improper Access Control 9.0 Critical
CVE-2026-55117 UniFi Access Application 4.2.28 and earlier 4.2.29+ Path Traversal 8.6 High
CVE-2026-55118 UniFi Network Application 10.3.58 and earlier 10.4.57+ Improper Access Control 8.3 High
CVE-2026-55119 UniFi Talk Application 5.1.2 and earlier 5.2.2+ Improper Access Control 8.1 High
CVE-2026-56841 UniFi Protect Application 7.1.77 and earlier 7.1.83+ SQL Injection 8.8 High
CVE-2026-56842 UniFi Network Application 10.3.58 and earlier 10.4.57+ Incorrect Authorization 7.5 High

Ubiquiti’s mitigation is consistent across the bulletin: administrators must update each affected product to its designated fixed version, with no interim workarounds listed for any of the 25 entries.

Given the presence of multiple unauthenticated, network-exploitable, critical-severity flaws, particularly the chainable path traversal issue in UniFi OS organizations running UDM, UNVR, or UNAS hardware, should prioritize firmware updates immediately rather than waiting for scheduled maintenance windows.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide