Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network-reachable app with low-privilege account required (PR:L, AV:N, AC:L, UI:N); privilege escalation yields high confidentiality and integrity impact but no availability effect, scope unchanged.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network and low privileges could exploit an Improper Access Control vulnerability found in UniFi Talk Application to escalate privileges within the UniFi Talk Application.
AnalysisAI
Privilege escalation in Ubiquiti's UniFi Talk Application allows a low-privileged, network-adjacent user to gain elevated privileges within the application through an improper access control (CWE-284) weakness, tracked as CVE-2026-55119 and rated CVSS 8.1. Ubiquiti tagged the issue as an Authentication Bypass, and a successful attack yields high confidentiality and integrity impact (C:H/I:H) over an existing authenticated session without any user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have network access to the UniFi Talk Application and must already possess a valid low-privilege account within that application (CVSS PR:L; Ubiquiti describes it as an Authentication Bypass / improper access control within the Talk app). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N = 8.1 High) describes a network-reachable, low-complexity attack requiring only low existing privileges and no user interaction, with high confidentiality and integrity impact but no availability impact - a realistic priority for any environment that has multiple user tiers in UniFi Talk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already holds a low-privilege UniFi Talk account (for example a limited user or a compromised low-tier credential) sends crafted requests over the network to application endpoints whose authorization checks are improperly enforced, elevating their role within the Talk app. With the resulting high-privilege access they can read or alter call configuration, telephony settings, or other users' data. … |
| Remediation | Patch available per vendor advisory: update the UniFi Talk Application to the fixed release described in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the exact fixed version is not enumerated in the provided data, so consult that advisory and apply the update through the UniFi application/console update mechanism. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all UniFi Talk deployments; restrict application access to essential roles only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Talk Application
View allPrivilege escalation in Ubiquiti's UniFi Talk Application allows an authenticated attacker holding a low-privileged acco
Server-Side Request Forgery in Ubiquiti's UniFi Talk Application allows a network-positioned attacker to coerce the appl
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41403
GHSA-7228-x566-c73m