Skip to main content
POC github.com/BishopFox Jun 05, 2026 by BishopFox

CVE-2026-34908: Unauthenticated RCE Chain in UniFi OS Server via Auth Bypass and Path Traversal

Related CVEs

Other CVEs in Same Group

CVE-2026-34910 CRITICAL 10.0

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute arbitrary operating system commands by sending crafted input that bypasses validation. The flaw carries a maximum CVSS 10.0 score with scope change (S:C) impacting confidentiality, integrity, and availability, and affects a broad fleet of UniFi gateways, NVRs, NAS units, and Cloud Keys. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

CVE-2026-34909 CRITICAL 10.0

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

CVE-2026-33000 CRITICAL 9.1

Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary operating system commands by abusing improperly validated input. The flaw carries a critical CVSS 9.1 score with scope change, indicating successful exploitation can break out of the originating security context, though no public exploit identified at time of analysis.

CVE-2026-34911 HIGH 7.7

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary files on the underlying device filesystem, enabling disclosure of sensitive information such as configuration data, credentials, or cryptographic material. The flaw (CVSS 7.7, scope-changed) affects a broad fleet of UniFi gateways, cloud keys, NVRs, and NAS appliances. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy