Skip to main content

Unifi Access Application

3 CVEs product

Monthly

CVE-2026-55117 HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to read files on the underlying host via path traversal (CWE-22), carrying a CVSS 8.6 rating driven by a scope change and high confidentiality impact. The flaw was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Access Application
NVD
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-54400 CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Access Application
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-50748 CRITICAL PATCH Act Now

Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. Reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.

Command Injection Ubiquiti Unifi Access Application
NVD
CVSS 3.1
9.9
EPSS
0.8%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to read files on the underlying host via path traversal (CWE-22), carrying a CVSS 8.6 rating driven by a scope change and high confidentiality impact. The flaw was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Access Application
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Access Application
NVD
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. Reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.

Command Injection Ubiquiti Unifi Access Application
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy