Skip to main content

UniFi Connect Application CVE-2026-50746

| EUVDEUVD-2026-41389 CRITICAL
Improper Access Control (CWE-284)
2026-07-02 hackerone GHSA-8q6j-36ff-q77x
10.0
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Network-reachable unauthenticated access-control bypass (AV:N/PR:N/UI:N) feeding OS command injection that escapes the app to the host gives S:C and full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 02, 2026 - 16:17 EUVD
Analysis Generated
Jul 02, 2026 - 15:30 vuln.today

DescriptionCVE.org

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Connect Application to execute a Command Injection on the host device.

AnalysisAI

Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Connect Application over network
Delivery
Bypass authorization on protected endpoint
Exploit
Inject OS command via crafted parameter
Execution
Execute code as service account
Impact
Pivot beyond app scope

Vulnerability AssessmentAI

Exploitation The attacker must have network access to the UniFi Connect Application service (AV:N, network-reachable), but requires no valid credentials and no user interaction (PR:N/UI:N) because the flaw is an access-control bypass - the vulnerable function is reachable without authorization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine top-priority issue, not an inflated high-CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the same network segment as the UniFi Connect Application sends a crafted request to an improperly protected endpoint, bypassing authentication and embedding shell metacharacters in a parameter that the app passes to a host command. The command executes with the service's privileges, giving the attacker a foothold to run arbitrary code, exfiltrate data, and pivot to other systems. …
Remediation Upgrade UniFi Connect Application to the fixed release identified in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the advisory confirms a patch is available, though an exact fixed version number is not included in the provided data, so confirm the specific build from the bulletin. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Isolate UniFi Connect Application instances from untrusted networks; review and preserve access logs for forensic analysis. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy