Skip to main content

UniFi OS CVE-2026-54404

| EUVDEUVD-2026-41387 HIGH
SQL Injection (CWE-89)
2026-07-02 hackerone GHSA-fcgm-88x5-cv87
8.8
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable management interface (AV:N) exploitable at low complexity by an authenticated low-privileged user (PR:L), yielding full compromise of the UniFi OS device (C/I/A:H), scope unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 02, 2026 - 16:17 EUVD
Analysis Generated
Jul 02, 2026 - 15:34 vuln.today

DescriptionCVE.org

A malicious actor with access to the network and low privileges could exploit a series of authenticated SQL Injection vulnerabilities found in UniFi OS to escalate privileges within such UniFi OS devices or instances.

AnalysisAI

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authenticated SQL injection flaws (CWE-89) to gain elevated privileges on affected UniFi OS instances and hardware. The issue affects UniFi OS Server and a broad range of Ubiquiti gateway, recorder, and Cloud Key appliances. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged UniFi OS account
Delivery
Reach management/API interface over network
Exploit
Inject SQL via crafted parameter
Execution
Chain multiple injection points
Persist
Manipulate authorization data
Impact
Escalate to administrative privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account: the CVSS vector specifies PR:L, so the attacker must already possess valid low-privileged credentials on the UniFi OS device or instance and network reachability to its management/API interface (AV:N, AC:L, UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately concerning but not top-tier emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has been issued (or has phished/compromised) a limited UniFi operator account connects to the UniFi OS management interface over the network and submits crafted input to a vulnerable parameter, injecting SQL that manipulates authorization data. By chaining the series of injection points, they elevate their session to administrative privileges over the gateway or recorder. …
Remediation Patch available per vendor advisory: apply the UniFi OS updates described in Ubiquiti Security Advisory Bulletin 066-066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc) to each affected device and to any self-hosted UniFi OS Server; the exact fixed version numbers are not included in the provided input and should be read from that advisory before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all UniFi OS instances and document versions; restrict UniFi OS administrative console access to minimum required personnel; enable SQL injection detection/logging on all affected appliances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34910 CRITICAL POC
10.0 May 22

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar

CVE-2026-34909 CRITICAL POC
10.0 May 22

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin

CVE-2026-34908 CRITICAL POC
10.0 May 22

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur

CVE-2026-47370 CRITICAL
9.9 Jun 12

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra

CVE-2026-47369 CRITICAL
9.9 Jun 12

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on

CVE-2026-33000 CRITICAL
9.1 May 22

Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary ope

CVE-2026-54402 HIGH
8.8 Jul 02

Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arb

CVE-2026-54401 HIGH
8.8 Jul 02

Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across th

CVE-2026-54403 HIGH
8.6 Jul 02

Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CW

CVE-2026-47368 HIGH
8.6 Jun 12

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive

CVE-2026-34911 HIGH
7.7 May 22

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary file

CVE-2026-55110 MEDIUM
6.1 Jul 02

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious

Share

CVE-2026-54404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy