Skip to main content

UniFi Protect EUVDEUVD-2026-41398

| CVE-2026-55115 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-02 hackerone GHSA-9prq-fx52-ppcv
9.9
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable SSRF exploitable by a low-privilege account (PR:L) with no interaction, escalating across a scope boundary (S:C) to full host compromise, giving C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 02, 2026 - 16:17 EUVD
Analysis Generated
Jul 02, 2026 - 15:31 vuln.today

DescriptionCVE.org

A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) in UniFi Protect Application to escalate privileges on the host device.

AnalysisAI

Privilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, network-adjacent attacker to coerce the application into making attacker-controlled requests and escalate to control of the host device. The CVSS 9.9 rating is driven by a scope change (S:C) plus full confidentiality, integrity, and availability impact, meaning the SSRF crosses a security boundary from the application into the underlying host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege Protect account
Delivery
Craft SSRF request to internal endpoint
Exploit
Coerce server-side request across scope boundary
Execution
Reach privileged host service
Impact
Escalate to host device control

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to the UniFi Protect Application's management interface and an authenticated low-privilege account (CVSS PR:L), so this is not an unauthenticated remote flaw - the attacker must first hold or obtain a limited Protect user login. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H = 9.9) presents a high-priority profile: network-reachable, low attack complexity, only low privileges required, no user interaction, and a scope change yielding full host compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privileged UniFi Protect account (for example a limited operator login) sends a crafted request that causes the Protect application to issue a server-side request to an internal or local privileged endpoint on the host. By steering that request, the attacker abuses the scope change to reach services running with higher privilege and escalates to control of the underlying device. …
Remediation Apply the update referenced in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); this is patch available per vendor advisory, but the exact fixed version is not stated in the available data, so verify and install the version named in that bulletin. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Isolate UniFi Protect systems to a restricted network segment with firewall rules limiting access; enforce multi-factor authentication and least-privilege access controls; enable comprehensive audit logging of all user activity and configuration changes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy