Skip to main content
CybersecurityVulnerability Management

Ubiquiti Fixes Flaws in UniFi Ecosystem

Modern smart home network setup with various connected devices.

CVE-2026-50746 (CVSS score: 10.0).

Ubiquiti has shipped updates to address a string of critical vulnerabilities across its UniFi product family — Connect, Talk, Access, Protect and UniFi OS — that, according to the advisory, could allow attackers with network access to escalate privileges, execute arbitrary commands, or make unauthorized changes on affected hosts.

UniFi Connect — CVE-2026-50746 (critical command injection)

The advisory lists CVE-2026-50746 as an improper access control vulnerability in the UniFi Connect Application. An attacker with access to the network could exploit the flaw to perform a command injection on the host device. The flaw carries a CVSS score of 10.0. Affected releases are version 3.4.16 and earlier; Ubiquiti says the issue is fixed in UniFi Connect version 3.4.20.

UniFi Talk — CVE-2026-50747 (authenticated SQL injection)

CVE-2026-50747 covers a series of authenticated SQL injection vulnerabilities in the UniFi Talk Application. Per the advisory, an attacker with access to the network could exploit these SQL injection flaws to escalate privileges on the host device. The vulnerabilities are scored 9.9 by CVSS. Affected versions are 5.1.2 and earlier; Ubiquiti lists a fix in UniFi Talk version 5.2.2.

UniFi Access — CVE-2026-50748 and CVE-2026-54400

UniFi Access is affected by two high-severity issues. CVE-2026-50748 is described as an improper input validation vulnerability that could lead to a command injection on the host device, with a CVSS score of 9.9. CVE-2026-54400 is an improper access control issue that could allow an attacker with network access to escalate privileges; it carries a CVSS score of 9.1. Both vulnerabilities affect UniFi Access versions 4.2.28 and earlier and are listed as fixed in version 4.2.29.

UniFi Protect and UniFi OS — CVE-2026-55115, CVE-2026-54402, and CVE-2026-55116

UniFi Protect is named for CVE-2026-55115, a Server-Side Request Forgery (SSRF) vulnerability with a CVSS score of 9.9. According to the advisory, an attacker with network access and low privileges could exploit the SSRF to escalate privileges on the host. Affected Protect releases are 7.1.77 and earlier; Ubiquiti reports a fix in version 7.1.83.

UniFi OS has two further high-severity flaws: CVE-2026-54402, an improper input validation vulnerability that could permit command injection on the host (CVSS 9.9), and CVE-2026-55116, an improper access control vulnerability that could enable unauthorized changes to certain devices (CVSS 9.0). Both affect UniFi OS versions 5.1.15 and earlier and are listed as fixed in UniFi OS version 5.1.19.

What this means for security teams, regulators, and enterprise IT

  • Security teams and technologists: The advisory documents specific affected and fixed versions across UniFi Connect (3.4.16 → 3.4.20), UniFi Talk (5.1.2 → 5.2.2), UniFi Access (4.2.28 → 4.2.29), UniFi Protect (7.1.77 → 7.1.83), and UniFi OS (5.1.15 → 5.1.19). Teams will focus on inventorying deployments against those version numbers and applying the updates Ubiquiti shipped to remediate the listed command-injection, SQL-injection, SSRF, and access-control flaws.
  • Regulators and government cyber defenders: The advisory notes there is no evidence these newly disclosed flaws have been exploited in the wild. At the same time, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged three different UniFi OS vulnerabilities — CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 — as having been weaponized in real-world attacks last month, a contrast that regulators are likely to weigh when assessing risk and response priorities.
  • Enterprise and procurement leaders: The advisory joins other recent signals of attacker interest in Ubiquiti devices. The vendor statement points to prior observed abuse, including Russian state-sponsored actors enlisting compromised Ubiquiti Edge OS routers into a botnet called MooBot, which the advisory says was felled in a law enforcement operation in February 2024. Inventorying exposed devices and confirming they run non-affected versions is the concrete detail enterprises can draw from the advisory.

Ubiquiti’s disclosure is specific: it identifies seven new CVEs, gives CVSS scores, and maps each flaw to affected and fixed version numbers. It also separates those new flaws from an earlier set of UniFi OS vulnerabilities CISA says were weaponized last month, and it recalls a past botnet campaign involving Edge OS routers. The advisory concludes with the vendor having shipped updates; the record here shows patch availability and an absence of evidence for exploitation of these particular issues, but the existence of weaponized UniFi OS flaws and the prior MooBot campaign underscore the practical stakes for networks that continue to run affected software.

Original story