Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Unauthenticated network-reachable traversal (AV:N/AC:L/PR:N/UI:N) reading host files outside the app boundary gives S:C and C:H, with no integrity or availability impact.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi Access Application to access files on the host device.
AnalysisAI
Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to read files on the underlying host via path traversal (CWE-22), carrying a CVSS 8.6 rating driven by a scope change and high confidentiality impact. The flaw was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the UniFi Access Application's web/management service; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) no authentication and no user interaction are needed against an affected instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, score 8.6) describes an easily reached, unauthenticated, network-based read primitive with a scope change, which is why the score is high despite only confidentiality being impacted. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with reachability to the UniFi Access management interface sends a crafted HTTP request containing directory-traversal sequences (e.g., ../../) in a file or path parameter to read sensitive files from the host, such as configuration files, credential stores, or private keys. Because no authentication is required (PR:N) and complexity is low (AC:L), the request can be issued without prior access; no public POC is currently referenced, so an attacker would need to identify the vulnerable parameter themselves. |
| Remediation | Patch available per vendor advisory: upgrade the UniFi Access Application to the fixed release identified in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the exact fixed version is not stated in the available input data and must be taken from that advisory, so do not assume a specific build number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and inventory all UniFi Access Application instances; determine network exposure and data sensitivity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Access Application
View allCommand injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary
Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and net
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41395
GHSA-qhch-3mhg-5r99