Skip to main content

UniFi Access CVE-2026-50748

| EUVDEUVD-2026-41384 CRITICAL
Improper Input Validation (CWE-20)
2026-07-02 hackerone GHSA-fp2c-q39c-97j4
9.9
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable authenticated low-priv user (PR:L) triggers low-complexity command injection escaping the app to the host (S:C), yielding full C/I/A host compromise.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 02, 2026 - 16:17 EUVD
Analysis Generated
Jul 02, 2026 - 15:30 vuln.today

DescriptionCVE.org

A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UniFi Access Application to execute a Command Injection on the host device.

AnalysisAI

Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach UniFi Access over network with low-priv account
Delivery
Submit input with shell metacharacters
Exploit
Bypass improper input validation
Execution
Inject command into host shell
Persist
Execute arbitrary code on host device
Impact
Compromise host beyond application scope

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to the UniFi Access Application and a valid low-privilege account (CVSS PR:L) - this is authenticated exploitation, not unauthenticated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to a genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a low-privileged account on the UniFi Access Application and can reach it over the network submits crafted input to a field that is improperly validated, embedding shell metacharacters that the application passes to the host command interpreter. The injected commands execute on the underlying UniFi host device, giving the attacker code execution outside the application boundary. …
Remediation Patch available per vendor advisory - upgrade the UniFi Access Application to the fixed release described in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the exact fixed version is not stated in the available data, so confirm the target build in that bulletin before scheduling the upgrade. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Isolate UniFi Access systems from production networks or restrict access to secure management networks only; review access logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy