VYPR
patchPublished Jul 7, 2026· 1 source

Ubiquiti Patches 25 Vulnerabilities, Including Critical Flaws in UniFi Ecosystem

Ubiquiti has addressed 25 security vulnerabilities across its UniFi ecosystem, with several critical flaws rated 9.9 and 10.0 CVSS allowing for unauthenticated command injection and SQL injection.

Ubiquiti has released Security Advisory Bulletin 066, detailing a significant batch of 25 security vulnerabilities that impact its widely used UniFi ecosystem. The disclosed flaws span multiple product lines, including UniFi Connect, Talk, Access, Protect, Network Application, and the core UniFi OS platform found on devices like UDM, UNVR, and UNAS.

The advisory highlights several critical vulnerabilities, with CVE-2026-50746 standing out due to its perfect CVSS score of 10.0. This flaw, an Improper Access Control vulnerability in UniFi Connect Application (versions 3.4.16 and earlier), allows unauthenticated, network-adjacent attackers to execute arbitrary commands. Close behind, CVE-2026-50747 and CVE-2026-50748, both rated 9.9, present critical risks through SQL injection in UniFi Talk and command injection in UniFi Access, respectively. These are exploitable by low-privileged network users to gain full control over affected devices.

Further compounding the critical risk, CVE-2026-54402 and CVE-2026-55115, both rated 9.9, involve improper input validation and SSRF-driven privilege escalation within the UniFi OS platform. Another critical vulnerability, CVE-2026-54400, rated 9.1, allows privilege escalation in UniFi Access, though it requires higher privileges to exploit initially. The bulletin also flags CVE-2026-55116, a 9.0-rated Improper Access Control vulnerability affecting UniFi OS and gateway hardware, which could permit unauthorized configuration changes.

Ubiquiti has also identified several high-severity vulnerabilities that can be chained together for more severe attacks. Notably, CVE-2026-54403, an 8.6-rated path traversal bug in UniFi OS, can be combined with other vulnerabilities to bypass authentication requirements entirely. Similarly, CVE-2026-54401 (7.7) and CVE-2026-54404 (8.8) leverage SSRF and authenticated SQL injection, respectively, to achieve privilege escalation within the UniFi OS.

The UniFi Protect Application is also affected by a cluster of high-impact findings. This includes two authentication bypass issues (CVE-2026-54407 and CVE-2026-54408, both 8.6) targeting API endpoints and data streaming, alongside a SQL injection flaw (CVE-2026-56841, 8.8) that enables privilege escalation on the host device.

The advisory provides a detailed table listing the affected products, vulnerable versions, and the corresponding patched versions. For instance, UniFi Connect Application versions 3.4.16 and earlier are fixed in 3.4.20+, UniFi Talk Application 5.1.2 and earlier in 5.2.2+, and UniFi OS versions 5.1.15–5.1.18 and earlier in 5.1.19+.

The security bulletin credits a broad range of independent security researchers for their contributions. Abdulaziz Almadhi of Catchify Security is recognized for six disclosures, while Brandon Rossi is credited with four findings. Other researchers like Duc Anh Nguyen and Garett Kopcha also contributed multiple vulnerability disclosures across various UniFi products.

Ubiquiti's recommended mitigation strategy for all 25 vulnerabilities is to update the affected products to their respective patched versions. No interim workarounds are provided, emphasizing the urgency for administrators to apply the available updates to secure their UniFi deployments against potential exploitation.

Synthesized by Vypr AI