Skip to main content

UniFi OS CVE-2026-54402

| EUVDEUVD-2026-41391 HIGH
Improper Input Validation (CWE-20)
2026-07-02 hackerone GHSA-ghgx-h467-6r25
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (hackerone) PRIMARY
CRITICAL
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable management interface (AV:N) with low complexity and no user interaction, but requires a low-privilege authenticated account (PR:L); command execution on the host yields total C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jul 10, 2026 - 03:02 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 03:01 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 02:52 vuln.today
cvss_changed
Severity Changed
Jul 10, 2026 - 02:52 NVD
CRITICAL HIGH
CVSS changed
Jul 10, 2026 - 02:52 NVD
9.9 (CRITICAL) 8.8 (HIGH)
Patch available
Jul 02, 2026 - 16:17 EUVD
Analysis Generated
Jul 02, 2026 - 15:32 vuln.today

DescriptionNVD

A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UniFi OS to execute a Command Injection on the host device.

AnalysisAI

Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arbitrary operating-system commands on the underlying host device, giving full control of gateways, recorders, and Cloud Keys. The flaw stems from improper input validation (CWE-20) and carries high confidentiality, integrity, and availability impact (CVSS 8.8). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privilege account + network access
Delivery
Reach UniFi OS management interface
Exploit
Submit crafted input to vulnerable field
Execution
Inject shell command bypassing input validation
Persist
Execute arbitrary OS commands on host
Impact
Full device takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the affected UniFi OS device's management surface and (2) a valid low-privilege authenticated account on that device - the CVSS vector's PR:L confirms authentication is needed, and the description explicitly states 'low privileges.' No user interaction and no special non-default feature toggle is documented as required (UI:N), so any UniFi OS build before 5.1.19 with a reachable management interface is exploitable by an authenticated low-privilege actor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately consistent but not alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privileged UniFi account - for example a limited operator login or reused/leaked credentials - and can reach the device's management interface over the network submits a crafted value into a vulnerable input field that is passed to a host command. The injected shell payload executes on the UniFi OS host, giving the attacker command execution as the appliance's service context and a path to full device takeover. …
Remediation Vendor-released patch: UniFi OS 5.1.19. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all UniFi deployments and confirm current OS versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34910 CRITICAL POC
10.0 May 22

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar

CVE-2026-34909 CRITICAL POC
10.0 May 22

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin

CVE-2026-34908 CRITICAL POC
10.0 May 22

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur

CVE-2026-47370 CRITICAL
9.9 Jun 12

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra

CVE-2026-47369 CRITICAL
9.9 Jun 12

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on

CVE-2026-33000 CRITICAL
9.1 May 22

Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary ope

CVE-2026-54404 HIGH
8.8 Jul 02

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authentica

CVE-2026-54401 HIGH
8.8 Jul 02

Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across th

CVE-2026-54403 HIGH
8.6 Jul 02

Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CW

CVE-2026-47368 HIGH
8.6 Jun 12

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive

CVE-2026-34911 HIGH
7.7 May 22

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary file

CVE-2026-55110 MEDIUM
6.1 Jul 02

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious

Share

CVE-2026-54402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy