Full Report
Ubiquiti has shipped updates to address multiple critical security flaws impacting UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS that could result in privilege escalation and arbitrary command execution. The list of vulnerabilities is as follows - CVE-2026-50746 (CVSS score: 10.0) - An improper access control vulnerability in UniFi Connect Application that an attacker
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Ubiquiti UniFi Ecosystem
## CVE Details
- **CVE ID:** CVE-2026-50746, CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-55115, CVE-2026-54402, CVE-2026-55116
- **CVSS Score:** 9.0 to 10.0 (Critical)
- **CWE:** Improper Access Control, SQL Injection, Improper Input Validation, Server-Side Request Forgery (SSRF)
## Affected Systems
- **Products:** UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS.
- **Versions:**
- UniFi Connect: 3.4.16 and earlier
- UniFi Talk: 5.1.2 and earlier
- UniFi Access: 4.2.28 and earlier
- UniFi Protect: 7.1.77 and earlier
- UniFi OS: 5.1.15 and earlier
- **Configurations:** Devices with network-accessible management interfaces; some flaws require low-privilege authentication.
## Vulnerability Description
Ubiquiti has patched several critical vulnerabilities that allow for privilege escalation and arbitrary command execution across its hardware ecosystem:
- **Command Injection:** Found in Connect, Access, and UniFi OS due to improper access control and input validation.
- **SQL Injection:** Authenticated flaws in UniFi Talk allow for host-level privilege escalation.
- **SSRF:** A vulnerability in UniFi Protect allows low-privileged network attackers to escalate privileges on the host.
- **Unauthorized Access:** UniFi OS flaws allow unauthorized configuration changes to connected devices.
## Exploitation
- **Status:** Not currently observed in the wild (Note: Similar legacy UniFi OS flaws have been weaponized by state-sponsored actors).
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Attacker must have access to the local network or the management interface).
## Impact
- **Confidentiality:** High (Full system access and data exposure).
- **Integrity:** High (Unauthorized command execution and device configuration changes).
- **Availability:** High (Potential for device takeover or service disruption).
## Remediation
### Patches
Update to the following versions or newer:
- **UniFi Connect Application:** v3.4.20
- **UniFi Talk Application:** v5.2.2
- **UniFi Access Application:** v4.2.29
- **UniFi Protect Application:** v7.1.83
- **UniFi OS:** v5.1.19
### Workarounds
- **Network Segmentation:** Isolate UniFi management interfaces on a dedicated VLAN with restricted access.
- **Disable Remote Access:** Limit exposure of management portals to the public internet.
- **Access Control:** Stick to the principle of least privilege for all application users.
## Detection
- **Indicators of Compromise:** Monitor for unexpected shell activity on UniFi hosts, unusual SQL query patterns in Talk logs, and unauthorized configuration changes.
- **Detection Methods:** Utilize network intrusion detection systems (NIDS) to flag SSRF and SQL injection patterns targeting UniFi application ports.
## References
- **Vendor Advisory:** community.ui[.]com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc
- **Source Article:** thehackernews[.]com/2026/07/ubiquiti-patches-critical-unifi-flaws.html