Skip to main content

Ubiquiti CVE-2026-22558

HIGH
Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-03-19 support@hackerone.com
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 20, 2026 - 13:52 vuln.today
CVE Published
Mar 19, 2026 - 15:16 nvd
HIGH 7.7

DescriptionCVE.org

An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges.

AnalysisAI

UniFi Network Application allows authenticated attackers to escalate privileges via NoSQL injection with high confidentiality impact. The vulnerability enables network-accessible attackers holding low-privilege credentials to exploit database queries and access sensitive information belonging to higher-privileged users or contexts. With an EPSS score of 0.03% (7th percentile) and no public exploit identified at time of analysis, real-world exploitation probability is currently assessed as low despite the 7.7 CVSS severity rating.

Technical ContextAI

This vulnerability stems from CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), commonly affecting applications using NoSQL databases such as MongoDB, CouchDB, or similar document stores prevalent in network management platforms. UniFi Network Application, Ubiquiti's centralized management software for UniFi networking equipment, fails to properly sanitize or validate user-controlled input before incorporating it into NoSQL database queries. Authenticated users can inject malicious query operators or conditions that alter the intended logic, potentially bypassing authorization checks or extracting data from collections they should not access. The scope change (S:C) in the CVSS vector indicates the vulnerability affects resources beyond its security scope, suggesting cross-tenant or cross-privilege-boundary data disclosure is possible.

Affected ProductsAI

Ubiquiti UniFi Network Application versions are affected by this authenticated NoSQL injection vulnerability. The vendor security advisory is published at https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b, though specific vulnerable version ranges have not been independently confirmed from the available data. The vulnerability was reported through HackerOne (support@hackerone.com), suggesting responsible disclosure through Ubiquiti's bug bounty program. Organizations running UniFi Network Application for managing UniFi switches, access points, gateways, and security appliances should consult the vendor advisory for precise version identification.

RemediationAI

Consult the official Ubiquiti security advisory at https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b for patch availability and specific upgrade instructions for UniFi Network Application. Until patching is completed, implement compensating controls including restricting administrative interface access to trusted IP ranges via firewall rules, enforcing strong authentication policies with multi-factor authentication for all UniFi accounts, conducting regular privilege audits to ensure least-privilege principles, and monitoring database query logs for suspicious NoSQL injection patterns such as unusual operators or conditional logic. Network segmentation should isolate UniFi management traffic from general user networks to reduce the attack surface available to low-privileged authenticated users.

CVE-2026-34910 CRITICAL POC
10.0 May 22

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar

CVE-2026-34909 CRITICAL POC
10.0 May 22

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin

CVE-2026-34908 CRITICAL POC
10.0 May 22

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur

CVE-2013-1606 HIGH POC
7.5 Jul 18

Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allow

CVE-2026-22557 CRITICAL POC
10.0 Mar 19

A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attac

CVE-2023-1458 CRITICAL POC
9.8 Mar 25

A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. Rated critical severi

CVE-2023-24104 CRITICAL POC
9.8 Feb 23

Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets. Ra

CVE-2016-7792 HIGH POC
8.8 Jan 23

Ubiquiti Networks UniFi 5.2.7 does not restrict access to the database, which allows remote attackers to modify the data

CVE-2023-23912 HIGH POC
8.8 Feb 09

A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.5

CVE-2023-2375 HIGH POC
7.3 Apr 28

A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulne

CVE-2023-2374 HIGH POC
7.3 Apr 28

A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this

CVE-2023-2378 HIGH POC
7.3 Apr 28

A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability

Share

CVE-2026-22558 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy