Skip to main content

UniFi Talk Application CVE-2026-50747

| EUVDEUVD-2026-41390 CRITICAL
SQL Injection (CWE-89)
2026-07-02 hackerone GHSA-q2c2-qqhg-wj5p
9.9
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable app requiring only a low-privileged account (PR:L), no user interaction; SQLi escalates from app into host, justifying S:C with full host CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 02, 2026 - 16:17 EUVD
Analysis Generated
Jul 02, 2026 - 15:30 vuln.today

DescriptionCVE.org

A malicious actor with access to the network and low privileges could exploit a series of authenticated SQL Injection vulnerabilities found in UniFi Talk Application to escalate privileges on the host device.

AnalysisAI

Privilege escalation in Ubiquiti's UniFi Talk Application allows an authenticated attacker holding a low-privileged account to chain multiple SQL injection flaws (CWE-89) and gain elevated control over the underlying host device. The issue carries a critical 9.9 CVSS score driven by network reachability, low attack complexity, and a scope change from the application into the host OS. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Talk credentials
Delivery
Reach Talk application over network
Exploit
Inject SQL via vulnerable endpoint
Execution
Chain SQLi to manipulate backend queries
Persist
Escalate privileges on host device
Impact
Full compromise of UniFi host

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with at least a low-privileged UniFi Talk Application account (CVSS PR:L) and network reachability to the Talk application interface (AV:N); no user interaction is needed (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mostly aligned toward high real-world risk but incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privileged UniFi Talk account - for example a rank-and-file phone user or a compromised employee login - sends crafted input to a vulnerable Talk endpoint that is concatenated into a backend SQL query. By chaining the SQL injection flaws, the attacker manipulates the database and leverages the trusted execution context to escalate to host-level privileges on the UniFi device. …
Remediation Patch available per vendor advisory: update the UniFi Talk Application to the fixed version described in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the input does not include an exact fixed version number, so verify the target build directly from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all UniFi Talk deployments; disable non-essential accounts and restrict authenticated access to named administrators only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy