Ubiquiti
CVE-2026-22558
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges.
AnalysisAI
UniFi Network Application allows authenticated attackers to escalate privileges via NoSQL injection with high confidentiality impact. The vulnerability enables network-accessible attackers holding low-privilege credentials to exploit database queries and access sensitive information belonging to higher-privileged users or contexts. With an EPSS score of 0.03% (7th percentile) and no public exploit identified at time of analysis, real-world exploitation probability is currently assessed as low despite the 7.7 CVSS severity rating.
Technical ContextAI
This vulnerability stems from CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), commonly affecting applications using NoSQL databases such as MongoDB, CouchDB, or similar document stores prevalent in network management platforms. UniFi Network Application, Ubiquiti's centralized management software for UniFi networking equipment, fails to properly sanitize or validate user-controlled input before incorporating it into NoSQL database queries. Authenticated users can inject malicious query operators or conditions that alter the intended logic, potentially bypassing authorization checks or extracting data from collections they should not access. The scope change (S:C) in the CVSS vector indicates the vulnerability affects resources beyond its security scope, suggesting cross-tenant or cross-privilege-boundary data disclosure is possible.
Affected ProductsAI
Ubiquiti UniFi Network Application versions are affected by this authenticated NoSQL injection vulnerability. The vendor security advisory is published at https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b, though specific vulnerable version ranges have not been independently confirmed from the available data. The vulnerability was reported through HackerOne (support@hackerone.com), suggesting responsible disclosure through Ubiquiti's bug bounty program. Organizations running UniFi Network Application for managing UniFi switches, access points, gateways, and security appliances should consult the vendor advisory for precise version identification.
RemediationAI
Consult the official Ubiquiti security advisory at https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b for patch availability and specific upgrade instructions for UniFi Network Application. Until patching is completed, implement compensating controls including restricting administrative interface access to trusted IP ranges via firewall rules, enforcing strong authentication policies with multi-factor authentication for all UniFi accounts, conducting regular privilege audits to ensure least-privilege principles, and monitoring database query logs for suspicious NoSQL injection patterns such as unusual operators or conditional logic. Network segmentation should isolate UniFi management traffic from general user networks to reduce the attack surface available to low-privileged authenticated users.
Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar
Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin
Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur
Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allow
A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attac
A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. Rated critical severi
Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets. Ra
Ubiquiti Networks UniFi 5.2.7 does not restrict access to the database, which allows remote attackers to modify the data
A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.5
A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulne
A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this
A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability
Same technique Nosql Injection
View allShare
External POC / Exploit Code
Leaving vuln.today