Skip to main content

Severity by source

Vendor (hackerone) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from Vendor (hackerone) · only source for this CVE.

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
May 22, 2026 - 02:01 EUVD
Analysis Generated
May 22, 2026 - 01:44 vuln.today

DescriptionCVE.org

A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to obtain sensitive information.

AnalysisAI

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary files on the underlying device filesystem, enabling disclosure of sensitive information such as configuration data, credentials, or cryptographic material. The flaw (CVSS 7.7, scope-changed) affects a broad fleet of UniFi gateways, cloud keys, NVRs, and NAS appliances. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

UniFi OS is the embedded Linux-based management platform Ubiquiti ships across its Dream Machine (UDM/UDR/UCG), Cloud Key (UCK/UCKP), Network Video Recorder (UNVR/ENVR), and UniFi NAS (UNAS) appliances, exposing a web/API surface for device administration. The weakness is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), meaning a request parameter or path component is concatenated into a filesystem operation without canonicalization, so '../' sequences or absolute paths escape the intended directory. Because UniFi OS runs privileged services that touch system files, traversal reads can reach OS-level resources outside the application's intended jail, which explains the CVSS Scope:Changed designation.

RemediationAI

Patch available per vendor advisory - upgrade affected UniFi OS appliances to the firmware revisions listed in Ubiquiti Security Advisory Bulletin 064 (https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b); exact fix versions per model are documented there and should be applied via the UniFi controller or device UI. As compensating controls until the update is staged, restrict the UniFi management interface to a dedicated management VLAN and block it from general user networks at the firewall, remove unnecessary local UniFi user accounts and tighten role assignments so untrusted parties do not hold even low-privileged credentials, and disable remote/Site Manager access for the affected devices (trade-off: loss of cloud-based remote administration). Rotate any credentials, API tokens, or backup-encryption secrets stored on the device after patching, since prior read-access by a low-privileged user cannot be ruled out from logs alone.

CVE-2026-34910 CRITICAL POC
10.0 May 22

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar

CVE-2026-34909 CRITICAL POC
10.0 May 22

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin

CVE-2026-34908 CRITICAL POC
10.0 May 22

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur

CVE-2026-47370 CRITICAL
9.9 Jun 12

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra

CVE-2026-47369 CRITICAL
9.9 Jun 12

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on

CVE-2026-33000 CRITICAL
9.1 May 22

Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary ope

CVE-2026-54402 HIGH
8.8 Jul 02

Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arb

CVE-2026-54404 HIGH
8.8 Jul 02

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authentica

CVE-2026-54401 HIGH
8.8 Jul 02

Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across th

CVE-2026-54403 HIGH
8.6 Jul 02

Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CW

CVE-2026-47368 HIGH
8.6 Jun 12

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive

CVE-2026-55110 MEDIUM
6.1 Jul 02

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious

Share

CVE-2026-34911 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy