Skip to main content

UniFi OS CVE-2026-55110

| EUVDEUVD-2026-41388 MEDIUM
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-07-02 hackerone GHSA-fwmw-87x4-wjv5
6.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (hackerone) PRIMARY
HIGH
qualitative
NVD
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
7.5 HIGH

Network-reachable but attacker-unauthenticated (PR:N) exploitation depends on a lured, already-logged-in admin (UI:R) and non-trivial CORS/timing conditions (AC:H), yielding full session-level C/I/A impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jul 09, 2026 - 18:37 NVD
HIGH MEDIUM
CVSS changed
Jul 09, 2026 - 18:37 NVD
7.5 (HIGH) 6.1 (MEDIUM)
Patch available
Jul 02, 2026 - 16:17 EUVD
Analysis Generated
Jul 02, 2026 - 15:36 vuln.today

DescriptionNVD

A malicious actor who lures an authenticated user to a malicious page could exploit a Cross-Origin Resource Sharing (CORS) misconfiguration found in UniFi OS to trigger actions in UniFi OS using that user's session.

AnalysisAI

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious web page ride that user's active session to perform privileged actions on the device, stemming from a permissive CORS policy that trusts untrusted origins. The flaw affects UniFi OS Server and the console firmware running on Dream Machines, Dream Routers, Dream Wall, Cloud Gateways, Cloud Keys, Enterprise Fortress Gateway, Express 7, and Network/Enterprise Video Recorders. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify logged-in UniFi admin target
Delivery
Send phishing link to malicious page
Exploit
Victim's browser loads attacker JavaScript
Execution
CORS lets credentialed cross-origin API calls
Persist
Read data and trigger console actions
Impact
Compromise gateway configuration

Vulnerability AssessmentAI

Exploitation Requires a UniFi OS user to be actively authenticated to the console and to be lured (UI:R) into visiting an attacker-controlled web page in the same browser while that session is valid; the attacker themselves needs no credentials (PR:N) but must satisfy the CORS misconfiguration to have their malicious origin trusted for credentialed requests, and AC:H indicates non-trivial conditions such as timing against a live session or a permitted/reflected origin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real-but-conditional risk rather than a drop-everything emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a UniFi administrator a phishing link (e.g., a fake support or firmware-notice page) while that admin is logged into their UniFi OS console in another tab. The malicious page runs JavaScript that, thanks to the permissive CORS policy, makes credentialed cross-origin requests to the console API and reads the responses and/or triggers configuration actions under the admin's identity. …
Remediation Apply the UniFi OS update referenced in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc) - patch available per vendor advisory, but the input does not specify an exact fixed version, so verify and install the patched build for your specific console (UniFi OS Server, Dream Machine/Router/Wall, Cloud Gateway/Key, Express 7, or NVR/EVR) from that bulletin; enable automatic firmware updates where supported. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Issue security advisory to all UniFi OS administrators instructing them to disable remote admin access and restrict administrative console access to trusted internal networks only; document all current administrative users and sessions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2021-34435 HIGH POC
8.8 Sep 01

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th

CVE-2025-30354 HIGH POC
8.7 Apr 01

Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut

CVE-2024-41659 HIGH POC
8.1 Aug 20

memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel

CVE-2024-37131 CRITICAL
9.8 Jun 13

SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated

CVE-2022-26969 CRITICAL
9.8 Dec 26

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9

CVE-2022-31736 CRITICAL
9.8 Dec 22

A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical

CVE-2026-34449 CRITICAL
9.6 Mar 31

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to

CVE-2026-6662 MEDIUM POC
5.5 Apr 20

Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint

CVE-2026-9739 CRITICAL
9.4 May 27

Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional

CVE-2026-61736 CRITICAL
9.3 Jul 15

Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, c

CVE-2026-8948 CRITICAL
9.1 May 19

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

Share

CVE-2026-55110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy