Latest Ubiquiti UniFi OS vulnerabilities #
Ubiquiti disclosed multiple vulnerabilities affecting certain versions of the UniFi OS:
- CVE-2026-54401: A Server-Side Request Forgery (SSRF) vulnerability that allows a remote, low-privileged attacker to escalate privileges within UniFi OS devices or instances. The vulnerability has been designated CVE-2026-54401 and has been rated high with a CVSS score of 7.7.
- CVE-2026-54402: An improper input validation vulnerability that allows a remote, low-privileged attacker to perform command injection on the host device. The vulnerability has been designated CVE-2026-54402 and has been rated critical with a CVSS score of 9.9.
- CVE-2026-54403: A path traversal vulnerability that allows a remote, low-privileged attacker to bypass authentication on UniFi OS devices or instances. The vulnerability has been designated CVE-2026-54403 and has been rated high with a CVSS score of 8.6.
- CVE-2026-54404: A series of authenticated SQL Injection (SQLi) vulnerabilities that allow a remote, low-privileged attacker to escalate privileges within UniFi OS devices or instances. The vulnerability has been designated CVE-2026-54404 and has been rated high with a CVSS score of 8.8.
- CVE-2026-55110: A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability that allows a remote, unauthenticated attacker, who convinces an authenticated user to visit a malicious webpage, to trigger operations in UniFi OS using that user's session. The vulnerability has been designated CVE-2026-55110 and has been rated high with a CVSS score of 7.5.
- CVE-2026-55112: An improper access control vulnerability that allows a remote, low-privileged attacker to escalate privileges on the host device under certain conditions when UniFi OS is configured with the UniFi Protect Application. The vulnerability has been designated CVE-2026-55112 and has been rated high with a CVSS score of 7.5.
- CVE-2026-55116: An improper access control vulnerability that, under certain network configurations, allows a remote, unauthenticated attacker to make unauthorized changes to UniFi OS devices. The vulnerability has been designated CVE-2026-55116 and has been rated critical with a CVSS score of 9.0.
The following software versions are affected across their respective hardware platforms (including all standalone servers, UDM, UNAS, UCG, UCK, UNVR, ENVR, and EF consoles):
- UniFi OS / Server (Standard Consoles): Version 5.1.15 and prior.
- Applies to all reported CVEs (CVE-2026-54401 through CVE-2026-55116).
- Note on CVE-2026-55112: This risk only presents if the platform is running the UniFi Protect Application.
- UniFi Network Attached Storage (UNAS): Version 5.1.16 and prior.
- Applies to CVE-2026-54401, CVE-2026-54402, CVE-2026-54403, CVE-2026-54404, and CVE-2026-55110.
- Enterprise Firewall (EF-Core): Version 5.1.18 and prior.
- Applies to all reported CVEs.
Note on CVE-2026-54403: While the narrative text within the manufacturer's advisory suggests that chaining this path traversal flaw could allow an attacker to bypass the low-privilege threshold, the formal CVSS tracking metrics officially list the Privileges Required (PR) value as "None."
What is Ubiquiti UniFi OS? #
Ubiquiti UniFi OS is a Linux-based operating system and application server platform deployed across dedicated Cloud Gateways, hardware consoles, and self-hosted servers to manage and run individual network and security applications.
What is the impact? #
Successful exploitation of these vulnerabilities allows an adversary to bypass authentication, escalate privileges on the host device, and make unauthorized system or configuration changes.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- All Platforms: Upgrade to UniFi OS version 5.1.19 or later.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate potentially impacted assets:
os:="Ubiquiti UniFi OS"