Skip to main content

Severity by source

Vendor (hackerone) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from Vendor (hackerone) · only source for this CVE.

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Added to CISA KEV
Jun 23, 2026 - 18:17 CISA
Patch available
May 22, 2026 - 02:01 EUVD
Analysis Generated
May 22, 2026 - 01:43 vuln.today

DescriptionCVE.org

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.

AnalysisAI

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments.

Technical ContextAI

UniFi OS is Ubiquiti's unified operating system that runs on the UDM (Dream Machine) line, UDR routers, UCG cloud gateways, UCK/UCKP cloud keys, UNVR network video recorders, UNAS storage appliances, and the EFG/UDW edge platforms. The flaw is classified as CWE-284 (Improper Access Control), meaning authorization checks for privileged system-modifying operations are missing or bypassable. The CVSS scope change (S:C) signals that exploitation crosses a trust boundary - the affected component can influence resources beyond its own security authority, which on a converged network appliance like UniFi OS typically means routing, firewall, VPN, or camera/storage subsystems controlled by the same management plane.

RemediationAI

Patch available per vendor advisory - consult Ubiquiti Security Advisory Bulletin 064 at https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b for the exact fixed UniFi OS firmware version for each device model, as the input does not enumerate fix versions. Until firmware can be applied, restrict the UniFi OS management interface (typically TCP 443 and 8443) to a dedicated management VLAN or VPN, and ensure WAN-side management is disabled - note that disabling remote access will break Ubiquiti's UI.com cloud SSO workflow for off-network admins. As a compensating control, place the controller behind a firewall rule that allows only known admin IPs to reach the web UI; this does not prevent lateral movement from a compromised internal host but eliminates external exposure.

CVE-2026-34910 CRITICAL POC
10.0 May 22

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar

CVE-2026-34909 CRITICAL POC
10.0 May 22

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin

CVE-2026-47370 CRITICAL
9.9 Jun 12

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra

CVE-2026-47369 CRITICAL
9.9 Jun 12

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on

CVE-2026-33000 CRITICAL
9.1 May 22

Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary ope

CVE-2026-54402 HIGH
8.8 Jul 02

Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arb

CVE-2026-54404 HIGH
8.8 Jul 02

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authentica

CVE-2026-54401 HIGH
8.8 Jul 02

Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across th

CVE-2026-54403 HIGH
8.6 Jul 02

Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CW

CVE-2026-47368 HIGH
8.6 Jun 12

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive

CVE-2026-34911 HIGH
7.7 May 22

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary file

CVE-2026-55110 MEDIUM
6.1 Jul 02

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious

Share

CVE-2026-34908 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy