Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Unauthenticated network-reachable API bypass (AV:N/AC:L/PR:N/UI:N); limited data exposure and tampering (C:L/I:L) with high service-disruption impact (A:H), no scope change.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Protect Application to bypass authentication in certain UniFi Protect Application API endpoints.
AnalysisAI
Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints without valid credentials due to improper access control (CWE-284). Rated CVSS 8.6, the flaw combines low confidentiality and integrity impact with high availability impact, meaning an unauthenticated actor on the network could interact with protected surveillance-management functions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker requires network-level access to reach the UniFi Protect Application's affected API endpoints (per the description, 'access to the network'), and the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates no authentication, no user interaction, and low complexity are needed once those endpoints are reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H, score 8.6) describes an easy-to-reach, unauthenticated, no-interaction bug - the classic profile of an exposed authentication bypass - with the severity driven mainly by high availability impact (A:H) alongside limited confidentiality and integrity effects. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has network reach to a UniFi console - for example a foothold on the same LAN/VLAN or an internet-exposed console - sends crafted requests directly to the affected UniFi Protect API endpoints without authenticating. Because the access-control check is missing, the endpoints respond, letting the attacker invoke protected functionality and potentially disrupt Protect services (consistent with the A:H impact). … |
| Remediation | Patch available per vendor advisory: upgrade the UniFi Protect Application to the fixed version identified in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); an exact fix version was not included in the provided data, so confirm the target build from that advisory before updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all UniFi Protect deployments; verify network isolation from untrusted networks; audit current connectivity and administrative access patterns. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Protect Application
View allPrivilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, ne
Privilege escalation in Ubiquiti's UniFi Protect Application is possible through an authenticated SQL injection (CWE-89)
Authentication bypass in Ubiquiti's UniFi Protect Application lets a network-adjacent attacker access data streams witho
Authentication bypass in Ubiquiti's UniFi Protect Application lets a network-adjacent attacker gain unauthorized access
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41379
GHSA-x7fp-rqc2-wmg4