Latest Ubiquiti UniFi OS vulnerabilities #

Ubiquiti disclosed multiple vulnerabilities affecting certain versions of the UniFi OS:

  • CVE-2026-54401: A Server-Side Request Forgery (SSRF) vulnerability that allows a remote, low-privileged attacker to escalate privileges within UniFi OS devices or instances. The vulnerability has been designated CVE-2026-54401 and has been rated high with a CVSS score of 7.7.
  • CVE-2026-54402: An improper input validation vulnerability that allows a remote, low-privileged attacker to perform command injection on the host device. The vulnerability has been designated CVE-2026-54402 and has been rated critical with a CVSS score of 9.9.
  • CVE-2026-54403: A path traversal vulnerability that allows a remote, low-privileged attacker to bypass authentication on UniFi OS devices or instances. The vulnerability has been designated CVE-2026-54403 and has been rated high with a CVSS score of 8.6.
  • CVE-2026-54404: A series of authenticated SQL Injection (SQLi) vulnerabilities that allow a remote, low-privileged attacker to escalate privileges within UniFi OS devices or instances. The vulnerability has been designated CVE-2026-54404 and has been rated high with a CVSS score of 8.8.
  • CVE-2026-55110: A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability that allows a remote, unauthenticated attacker, who convinces an authenticated user to visit a malicious webpage, to trigger operations in UniFi OS using that user's session. The vulnerability has been designated CVE-2026-55110 and has been rated high with a CVSS score of 7.5.
  • CVE-2026-55112: An improper access control vulnerability that allows a remote, low-privileged attacker to escalate privileges on the host device under certain conditions when UniFi OS is configured with the UniFi Protect Application. The vulnerability has been designated CVE-2026-55112 and has been rated high with a CVSS score of 7.5.
  • CVE-2026-55116: An improper access control vulnerability that, under certain network configurations, allows a remote, unauthenticated attacker to make unauthorized changes to UniFi OS devices. The vulnerability has been designated CVE-2026-55116 and has been rated critical with a CVSS score of 9.0.

    The following software versions are affected across their respective hardware platforms (including all standalone servers, UDM, UNAS, UCG, UCK, UNVR, ENVR, and EF consoles):

    • UniFi OS / Server (Standard Consoles): Version 5.1.15 and prior.
      • Applies to all reported CVEs (CVE-2026-54401 through CVE-2026-55116).
      • Note on CVE-2026-55112: This risk only presents if the platform is running the UniFi Protect Application.
    • UniFi Network Attached Storage (UNAS): Version 5.1.16 and prior.
      • Applies to CVE-2026-54401, CVE-2026-54402, CVE-2026-54403, CVE-2026-54404, and CVE-2026-55110.
    • Enterprise Firewall (EF-Core): Version 5.1.18 and prior.
      • Applies to all reported CVEs.

    Note on CVE-2026-54403: While the narrative text within the manufacturer's advisory suggests that chaining this path traversal flaw could allow an attacker to bypass the low-privilege threshold, the formal CVSS tracking metrics officially list the Privileges Required (PR) value as "None."

    What is Ubiquiti UniFi OS? #

    Ubiquiti UniFi OS is a Linux-based operating system and application server platform deployed across dedicated Cloud Gateways, hardware consoles, and self-hosted servers to manage and run individual network and security applications.

    What is the impact? #

    Successful exploitation of these vulnerabilities allows an adversary to bypass authentication, escalate privileges on the host device, and make unauthorized system or configuration changes.

    Are updates or workarounds available? #

    Users are encouraged to update to the latest version as quickly as possible:

    • All Platforms: Upgrade to UniFi OS version 5.1.19 or later.

    How to find potentially vulnerable systems with runZero #

    From the Asset Inventory, use the following query to locate potentially impacted assets:

    os:="Ubiquiti UniFi OS"

    Written by Matthew Kienow

    Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

    More about Matthew Kienow
    Subscribe Now

    Get the latest news and expert insights delivered in your inbox.

    Welcome to the club! Your subscription to our newsletter is successful.

    Explore more runZero

    Product
    Announcing runZero 5.0: Exposure management built to outpace AI-driven attacks
    When you're up against AI, every minute counts. Get deep, actionable intelligence across your entire attack surface to close the gaps and hold the...
    Product Videos
    runZero 5.0: Platform Demo
    With the new 5.0 release, runZero is giving defenders the edge they need to succeed in the AI-attack era.
    runZero Perspective
    BOD 26-04: A new era of prioritized remediation
    A complete breakdown of CISA's BOD 26-04 directive. Learn how the shift to SSVC, risk-based KEV prioritization, and 3-day remediation impacts your...
    runZero Perspective
    Dawn of the apex agentic adversary
    When agentic AI can weaponize exploits in seconds, visibility is everything. Stop the predator with runZero’s exposure management for the AI-attack...
    Talks
    Identifying exposures at scale with BloodHound OpenGraph
    Traditional exposure management misses hidden attack paths. Learn how BloodHound and Cypher queries can uncover vulnerabilities beyond individual...
    Podcasts
    When is a vulnerability not a vulnerability?
    Attackers care about outcomes, not CVEs. Tod Beardsley joins Distilled Security to discuss reframing risk from checklist compliance to adversary...
    Podcasts
    Know Your Adversary with HD Moore
    runZero CEO HD Moore breaks down the myth of air-gapped networks, the impact of AI on security, and why asset connectivity is everything.
    Webcasts
    Defending in the shadow era: when the CVE feed goes dark
    HD Moore walks through the three eras of vulnerability management: the predictable cycles era, the triage ara of AI-scale discovery, and now the...

    See Results in Minutes

    See & secure your total attack surface. Even the unknowns & unmanageable.