Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable API with low complexity and no interaction, but a valid low-privileged account is required (PR:L); successful escalation yields full application-level C/I/A impact within an unchanged scope.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network and low privileges could exploit an Improper Access Control vulnerability found in UniFi Network Application to escalate privileges within the UniFi Network Application.
AnalysisAI
Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elevated privileges within the controller due to Improper Access Control (CWE-284). Tagged as an authentication/authorization bypass and reported via HackerOne, the flaw carries a CVSS 8.8 with full confidentiality, integrity, and availability impact once triggered. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already possess a valid low-privileged account on the UniFi Network Application and network access to its management interface (CVSS PR:L, AV:N, AC:L, UI:N) - it is NOT remote-unauthenticated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderately consistent and point to a genuine priority for anyone running a multi-tenant or multi-admin UniFi controller. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already holds a limited or read-only UniFi account - obtained via delegated access, a shared MSP tenant, or reused/leaked credentials - sends crafted requests to the controller's network-facing API that perform a privileged action their role should not permit. Because the authorization check is missing (CWE-284) and no user interaction is needed, they elevate to full administrative control over the UniFi Network Application, gaining ability to reconfigure networks and devices. … |
| Remediation | Apply the fixed release identified in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the input does not contain an exact fix version number, so treat this as 'Patch available per vendor advisory' and confirm the specific patched build against that bulletin before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Ubiquiti UniFi Network Application deployments and confirm their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Network Application
View allPrivilege escalation via path traversal in self-hosted UniFi Network Application (Ubiquiti's controller software) allows
Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network
Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain g
Denial of service in Ubiquiti's UniFi Network Application allows a remote, unauthenticated attacker with network access
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41401
GHSA-66wx-hp59-23gx