Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Network-reachable authentication bypass with no privileges or interaction (AV:N/AC:L/PR:N/UI:N); primary impact is video/data exposure (C:H) with limited integrity/availability effect.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Protect Application to bypass authentication for data streaming.
AnalysisAI
Authentication bypass in Ubiquiti's UniFi Protect Application lets a network-adjacent attacker access data streams without valid credentials, stemming from improper access control (CWE-284). The CVSS 8.6 rating reflects high confidentiality impact with low integrity/availability effects, and no authentication or user interaction is required per the vector. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the UniFi Protect Application's data-streaming interface on a UniFi console/NVR; the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates no authentication, no user interaction, and low complexity against affected versions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mostly aligned toward elevated but not maximal priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has gained a foothold on the same LAN or an adjacent reachable network segment as a UniFi Protect console (for example via a compromised IoT device or guest Wi-Fi that can route to the management network) sends requests directly to the Protect data-streaming interface. Because the access-control check is bypassable, they retrieve live or recorded camera video without valid credentials. … |
| Remediation | Patch available per vendor advisory: update UniFi Protect to the fixed release identified in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); an exact fixed version number is not provided in the source data, so consult that advisory for the precise build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit and inventory all UniFi Protect NVRs and controllers; restrict network access to management and video streaming ports (443, 7442, 7443) via firewall rules and network segmentation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Protect Application
View allPrivilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, ne
Privilege escalation in Ubiquiti's UniFi Protect Application is possible through an authenticated SQL injection (CWE-89)
Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints
Authentication bypass in Ubiquiti's UniFi Protect Application lets a network-adjacent attacker gain unauthorized access
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41383
GHSA-jrx2-468w-2jv8