Ubiquiti has disclosed 25 security vulnerabilities affecting its UniFi ecosystem in Security Advisory Bulletin 066, including several critical flaws rated 9.9 and 10.0 on the CVSS v3.1 scale that could allow network-based attackers to fully compromise devices.
The advisory spans UniFi Connect, Talk, Access, Protect, Network Application, and the core UniFi OS platform running on UDM, UNVR, and UNAS device families.
Last month, Ubiquiti patched a series of Critical vulnerabilities that allowed remote privilege escalation on its UniFi OS platform.
The most severe issue, CVE-2026-50746, carries a perfect 10.0 score and stems from an Improper Access Control flaw in UniFi Connect Application (version 3.4.16 and earlier), letting any network-adjacent attacker execute command injection without authentication.
Close behind, CVE-2026-50747 and CVE-2026-50748 each scored 9.9: CVE-2026-50747 involved authenticated SQL injection in UniFi Talk, and CVE-2026-50748 involved command injection in UniFi Access; both were exploitable by low-privileged network users to escalate to full control.
Additional 9.9-rated bugs include CVE-2026-54402 (command injection in UniFi OS) and CVE-2026-55115 (SSRF-driven privilege escalation in UniFi Protect), while CVE-2026-54400 rounds out the critical tier at 9.1 with a privilege-escalation flaw in UniFi Access that requires high privileges.
A notably dangerous entry is CVE-2026-55116, a 9.0-rated Improper Access Control vulnerability affecting UDM, UDM-Pro, UDM-SE, and related gateway hardware, which permits unauthorized configuration changes under certain network conditions.
Several high-severity issues involve chainable attack paths. CVE-2026-54403, an 8.6-rated path traversal bug in UniFi OS, is explicitly flagged by Ubiquiti as capable of being combined with other vulnerabilities to bypass the low-privilege access requirement entirely.
Similarly, CVE-2026-54401 (7.7) is an SSRF flaw across the UniFi OS Server and UDM family enabling privilege escalation, while CVE-2026-54404 (8.8) exploits authenticated SQL injection to the same effect .
The UniFi Protect Application accounts for a cluster of high-impact findings, including two authentication bypass issues (CVE-2026-54407 and CVE-2026-54408, both 8.6) affecting API endpoints and data streaming, plus a SQL injection flaw (CVE-2026-56841, 8.8) that enables privilege escalation on the host device.
Affected Products and Fixed Versions
ProductVulnerable VersionPatched VersionUniFi Connect Application3.4.16 and earlier3.4.20+UniFi Talk Application5.1.2 and earlier5.2.2+UniFi Access Application4.2.28 and earlier4.2.29+UniFi Network Application10.3.58 and earlier10.4.57+UniFi Protect Application7.1.77 and earlier7.1.83+UniFi Protect Floodlight1.13.4 and earlier1.13.6+UniFi OS (UDM/UNVR/UNAS family)5.1.15–5.1.18 and earlier5.1.19+
The bulletin credits a wide pool of independent researchers, with Abdulaziz Almadhi of Catchify Security identified across six separate CVEs spanning Access, Talk, and Protect applications.
Brandon Rossi is credited with four findings affecting UniFi Protect and Access, while Duc Anh Nguyen and Garett Kopcha each contributed two disclosures involving Connect, Talk, and Network Application flaws .
CVE IDAffected ProductVulnerable VersionFixed VersionVulnerability TypeCVSS ScoreSeverityCVE-2026-50746UniFi Connect Application3.4.16 and earlier3.4.20+Improper Access Control10.0CriticalCVE-2026-50747UniFi Talk Application5.1.2 and earlier5.2.2+SQL Injection9.9CriticalCVE-2026-50748UniFi Access Application4.2.28 and earlier4.2.29+Improper Input Validation9.9CriticalCVE-2026-54400UniFi Access Application4.2.28 and earlier4.2.29+Improper Access Control9.1CriticalCVE-2026-54401UniFi OS (UDM/UNVR/UNAS family)5.1.15–5.1.18 and earlier5.1.19+SSRF7.7HighCVE-2026-54402UniFi OS (UDM/UNVR/UNAS family)5.1.15–5.1.18 and earlier5.1.19+Improper Input Validation9.9CriticalCVE-2026-54403UniFi OS (UDM/UNVR/UNAS family)5.1.15–5.1.18 and earlier5.1.19+Path Traversal8.6HighCVE-2026-54404UniFi OS (UDM/UNVR/UNAS family)5.1.15–5.1.18 and earlier5.1.19+SQL Injection8.8HighCVE-2026-54405UniFi Network Application10.3.58 and earlier10.4.57+Improper Input Validation (DoS)7.5HighCVE-2026-54406UniFi Network Application10.3.58 and earlier10.4.57+Path Traversal8.7HighCVE-2026-54407UniFi Protect Application7.1.77 and earlier7.1.83+Improper Access Control8.6HighCVE-2026-54408UniFi Protect Application7.1.77 and earlier7.1.83+Improper Access Control8.6HighCVE-2026-54409UniFi Protect Application7.1.77 and earlier7.1.83+Improper Initialization7.5HighCVE-2026-55110UniFi OS (UDM/UNVR/UNAS family)5.1.15–5.1.18 and earlier5.1.19+CORS Misconfiguration7.5HighCVE-2026-55111UniFi Protect Floodlight1.13.4 and earlier1.13.6+Path Traversal7.5HighCVE-2026-55112UniFi OS + Protect (UDM-Pro etc.)5.1.15 and earlier5.1.19+Improper Access Control7.5HighCVE-2026-55113UniFi Talk Application5.1.2 and earlier5.2.2+SSRF7.5HighCVE-2026-55114UniFi Network Application10.3.58 and earlier10.4.57+Improper Access Control8.8HighCVE-2026-55115UniFi Protect Application7.1.77 and earlier7.1.83+SSRF9.9CriticalCVE-2026-55116UniFi OS (UDM/gateway family)5.1.15–5.1.18 and earlier5.1.19+Improper Access Control9.0CriticalCVE-2026-55117UniFi Access Application4.2.28 and earlier4.2.29+Path Traversal8.6HighCVE-2026-55118UniFi Network Application10.3.58 and earlier10.4.57+Improper Access Control8.3HighCVE-2026-55119UniFi Talk Application5.1.2 and earlier5.2.2+Improper Access Control8.1HighCVE-2026-56841UniFi Protect Application7.1.77 and earlier7.1.83+SQL Injection8.8HighCVE-2026-56842UniFi Network Application10.3.58 and earlier10.4.57+Incorrect Authorization7.5High
Ubiquiti’s mitigation is consistent across the bulletin: administrators must update each affected product to its designated fixed version, with no interim workarounds listed for any of the 25 entries.
Given the presence of multiple unauthenticated, network-exploitable, critical-severity flaws, particularly the chainable path traversal issue in UniFi OS organizations running UDM, UNVR, or UNAS hardware, should prioritize firmware updates immediately rather than waiting for scheduled maintenance windows.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide
The post Ubiquiti Disclosed 25 Security Vulnerabilities Across the UniFi Ecosystem appeared first on Cyber Security News.



