Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Requires prior low-privilege authenticated access (PR:L) and a specific stale-authorization condition (AC:H) over the network (AV:N); retained privileges grant full control of managed network, so C/I/A all High.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network and under certain conditions could exploit an Incorrect Authorization vulnerability found in UniFi Network Application to persist privileges within UniFi Network Application after such access had been removed.
AnalysisAI
Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain granted privileges within the controller even after those privileges are supposed to have been revoked, due to an Incorrect Authorization (CWE-863) flaw. The CVSS 3.1 base score is 7.5 (AV:N/AC:H/PR:L/UI:N) with high confidentiality, integrity, and availability impact, meaning an actor whose access was removed can continue to act with the old authorization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the actor to already hold, or to have recently held, a low-privilege authenticated role within the UniFi Network Application (CVSS PR:L) and to have network access to the controller (AV:N); the core precondition described is a privilege-revocation event - the actor exploits the flaw to persist privileges after their access 'had been removed.' The AC:H metric and the description's phrase 'under certain conditions' indicate a specific, non-deterministic state (such as an active/cached session or a particular role-change sequence) must exist for the stale authorization to be honored. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a moderately severe issue best treated as a real but conditional risk rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A contractor or junior operator is granted a role in the UniFi Network Application, and later an administrator revokes that access; because of the Incorrect Authorization flaw, under certain conditions the actor's prior privileges are not fully enforced, so from the network they continue to perform privileged controller actions such as modifying network/device configuration. No public POC is available, and the high attack complexity means the specific stale-state condition must be met, but the actor's existing low-privilege foothold is the key enabler. |
| Remediation | Upgrade the UniFi Network Application to the fixed version identified in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); Patch available per vendor advisory, though the exact patched version string is not included in the provided data and must be read from that bulletin before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all current UniFi controller administrators; enable and verify verbose audit logging is active and retained. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Network Application
View allPrivilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elev
Privilege escalation via path traversal in self-hosted UniFi Network Application (Ubiquiti's controller software) allows
Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network
Denial of service in Ubiquiti's UniFi Network Application allows a remote, unauthenticated attacker with network access
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41402
GHSA-fhjm-rpqj-xm7m