Skip to main content

UniFi Talk CVE-2026-55113

| EUVDEUVD-2026-41394 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-02 hackerone GHSA-hp2q-c8xq-v8qv
7.5
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H
vuln.today AI
7.5 HIGH

Network-reachable unauthenticated SSRF (AV:N/PR:N/UI:N) with high complexity preconditions (AC:H); scope-changed via server-side pivot (S:C), causing auth bypass (I:L) and DoS (A:H) with no data disclosure (C:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Patch available
Jul 02, 2026 - 16:17 EUVD
Analysis Generated
Jul 02, 2026 - 15:37 vuln.today

DescriptionCVE.org

A malicious actor with access to the network could exploit a Server-Side Request Forgery (SSRF) vulnerability found in UniFi Talk Application to execute a Denial of Service (DoS) attack and bypass authentication in certain UniFi Talk API endpoints.

AnalysisAI

Server-Side Request Forgery in Ubiquiti's UniFi Talk Application allows a network-positioned attacker to coerce the application into making unintended internal requests, resulting in a Denial of Service and an authentication bypass against certain UniFi Talk API endpoints. The flaw carries CVSS 7.5 (scope-changed, high availability impact) and is reachable by remote attackers without authentication (PR:N), though a high attack complexity (AC:H) constrains reliable exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach UniFi Talk host over network
Delivery
Craft request with malicious server-side URL
Exploit
Trigger SSRF in Talk API handler
Execution
Bypass auth on internal Talk endpoint
Persist
Exhaust service resources
Impact
Telephony denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to a host running the UniFi Talk Application and the ability to reach its API/service endpoints; no authentication is required per the CVSS vector (PR:N) and no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and warrant a moderate-to-elevated but not top-tier priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to the UniFi Talk host sends crafted requests that manipulate a server-side URL/host parameter, causing the application to issue attacker-directed internal requests. By abusing this SSRF the attacker reaches protected UniFi Talk API endpoints to bypass authentication and/or drives the service into a resource-exhaustion condition, taking telephony offline (DoS). …
Remediation Patch available per vendor advisory: apply the UniFi Talk Application update referenced in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc) - the exact fixed version was not provided in the input and should be taken directly from that advisory; do not assume a version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all UniFi Talk Application instances and document current software versions; implement detailed logging and monitoring for unusual internal HTTP requests originating from UniFi Talk processes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55113 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy