Skip to main content

Ubiquiti UniFi OS CVE-2026-54401

| EUVDEUVD-2026-41392 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-02 hackerone GHSA-j9mg-7mrv-2wwc
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (hackerone) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable SSRF exploitable by an authenticated low-privileged user (PR:L, AV:N, AC:L, UI:N) yielding privilege escalation confined to the device (S:U) with high C/I/A; SSVC 'partial' impact adds mild uncertainty to the H ratings.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 10, 2026 - 03:00 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 02:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 02:52 vuln.today
cvss_changed
CVSS changed
Jul 10, 2026 - 02:52 NVD
7.7 (HIGH) 8.8 (HIGH)
Patch available
Jul 02, 2026 - 16:17 EUVD
Analysis Generated
Jul 02, 2026 - 15:33 vuln.today

DescriptionNVD

A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) to escalate privileges within such UniFi OS devices or instances.

AnalysisAI

Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across the Dream Machine, Dream Router, Cloud Gateway, Cloud Key, Enterprise Fortress/Firewall, and NVR/EVR product lines running versions below 5.1.19. A low-privileged user with network access can coerce the device into making attacker-controlled internal requests, leveraging the SSRF to reach privileged internal services and elevate to higher privileges within the appliance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Reach URL-fetch feature over network
Exploit
Submit attacker-controlled SSRF request
Execution
Redirect request to internal privileged service
Impact
Escalate privileges within UniFi OS device

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to the UniFi OS management interface plus a valid low-privileged account on the device (CVSS PR:L, so authenticated but not administrative); no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and point to a genuine but non-emergency priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a low-privileged UniFi OS account (or compromises one) on a reachable Dream Machine or UniFi OS Server submits a crafted request to a URL-fetching feature, causing the device to issue requests to its own internal management services. By steering those server-side requests to privileged loopback endpoints, the attacker escalates privileges within the appliance. …
Remediation Vendor-released patch: UniFi OS 5.1.19. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and inventory all Ubiquiti UniFi OS devices in your environment; document current firmware versions for each device and identify those below version 5.1.19. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34910 CRITICAL POC
10.0 May 22

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar

CVE-2026-34909 CRITICAL POC
10.0 May 22

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin

CVE-2026-34908 CRITICAL POC
10.0 May 22

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur

CVE-2026-47370 CRITICAL
9.9 Jun 12

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra

CVE-2026-47369 CRITICAL
9.9 Jun 12

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on

CVE-2026-33000 CRITICAL
9.1 May 22

Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary ope

CVE-2026-54402 HIGH
8.8 Jul 02

Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arb

CVE-2026-54404 HIGH
8.8 Jul 02

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authentica

CVE-2026-54403 HIGH
8.6 Jul 02

Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CW

CVE-2026-47368 HIGH
8.6 Jun 12

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive

CVE-2026-34911 HIGH
7.7 May 22

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary file

CVE-2026-55110 MEDIUM
6.1 Jul 02

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious

Share

CVE-2026-54401 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy