Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Requires existing high app privileges (PR:H) over the network (AV:N) with no user interaction; the application-to-host escalation justifies S:C and full C/I/A impact.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network and high privileges could exploit an Improper Access Control vulnerability found in UniFi Access Application to escalate privileges on the host device.
Articles & Coverage 1
AnalysisAI
Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold high privileges within the UniFi Access Application (CVSS PR:H) and to have network reachability to the application/management interface (AV:N); no user interaction is needed (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H = 9.1 Critical) shows a network-reachable, low-complexity attack requiring no user interaction but requiring high existing privileges (PR:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a high-privilege UniFi Access account (e.g., a rogue administrator or an adversary who phished/reused admin credentials) connects over the network to the management interface and abuses the improper access control flaw to execute actions against the underlying host device, escalating from application admin to host-level control. Because the scope changes, the attacker can then manipulate the device that enforces physical door access. … |
| Remediation | Apply the vendor's fixed release for UniFi Access as described in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the exact fixed version is not included in the provided data, so confirm the target version directly from that advisory before deploying - Patch available per vendor advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit all UniFi Access administrative account holders and review logs for unauthorized access or suspicious privilege escalation attempts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Access Application
View allCommand injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary
Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41386
GHSA-rwfh-5cw2-f7g6