Skip to main content

UniFi Network Application EUVDEUVD-2026-41385

| CVE-2026-54406 HIGH
Path Traversal (CWE-22)
2026-07-02 hackerone GHSA-h9fm-m325-j8cf
8.7
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
8.7 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
vuln.today AI
8.7 HIGH

Network-reachable and low-complexity but requires high app privileges (PR:H); path traversal escapes the app to write on the host (S:C) yielding I:H/A:H with no disclosure (C:N).

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 02, 2026 - 16:17 EUVD
Analysis Generated
Jul 02, 2026 - 15:34 vuln.today

DescriptionCVE.org

A malicious actor with access to the network and high privileges could exploit a Path Traversal vulnerability found in self-hosted instances of UniFi Network Application to escalate write permission on the host device.

AnalysisAI

Privilege escalation via path traversal in self-hosted UniFi Network Application (Ubiquiti's controller software) allows an authenticated, high-privileged attacker with network access to write files outside intended directories and escalate write permissions on the underlying host. The CVSS 3.1 base score is 8.7 with a scope change, reflecting that the flaw lets the application's write capability break out to affect the host system beyond the application's security boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to self-hosted controller with high privileges
Delivery
Craft request with path traversal sequences
Exploit
Redirect controller write to arbitrary host path
Execution
Write/modify files on host device
Impact
Escalate control of underlying host

Vulnerability AssessmentAI

Exploitation Exploitation requires a self-hosted instance of UniFi Network Application (Ubiquiti-managed/cloud instances are not in scope) and an attacker who already holds high privileges (PR:H) within the application plus network reachability to it (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H, score 8.7) indicates a network-reachable, low-complexity attack that nonetheless requires high privileges (PR:H), meaning the attacker must already hold an administrative/high-privilege foothold in the application. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained high-privilege (administrative) access to a self-hosted UniFi Network Application - for example via stolen operator credentials or a malicious insider - sends a crafted request whose file path contains directory-traversal sequences. Because the controller process can write to the host, the traversal directs a write operation to an arbitrary host location, letting the attacker modify or plant files and escalate control over the underlying host device. …
Remediation Patch available per vendor advisory: upgrade the self-hosted UniFi Network Application to the fixed build identified in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); an exact patched version number is not included in the provided data and should be taken directly from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all self-hosted UniFi Network Application deployments and audit high-privilege user accounts and access permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41385 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy