Critical UniFi flaws put Ubiquiti users at risk of full system takeover, patch now

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

Ubiquiti has disclosed two serious security flaws in the UniFi Network Application, and one of them is severe enough to demand immediate action. The most dangerous issue, tracked as CVE-2026-22557, carries a CVSS 3.1 score of 10.0 and can let an unauthenticated attacker with network access reach sensitive files on the underlying system and potentially take over an account there.

The second bug, CVE-2026-22558, is a high-severity authenticated NoSQL injection flaw. It requires valid access first, but it can still let an attacker escalate privileges inside the UniFi environment, which makes it a serious follow-up risk if an account has already been compromised.

For admins, the answer is simple. If your deployment runs an affected UniFi Network Application build, you should update immediately. Ubiquiti says the fixes are available in UniFi Network Application 10.1.89 or later, Release Candidate 10.2.97 or later, and UniFi Express firmware 4.0.13 or later, which bundles UniFi Network Application 9.0.118 or later.

What happened

According to Ubiquiti’s security bulletin, the more severe flaw is a path traversal bug in the UniFi Network Application. The National Vulnerability Database entry says the issue could let “a malicious actor with access to the network” access files on the underlying system, and those files could then be used to reach an underlying account. The CVSS vector shows no authentication and no user interaction are required.

The second issue affects authenticated users. NVD describes CVE-2026-22558 as a NoSQL injection vulnerability that could allow a malicious actor with authenticated access to the network to escalate privileges. While it is not as severe as the first bug, it still creates a meaningful risk for exposed or poorly segmented management environments.

Affected versions and fixed versions

ProductAffected versionsFixed versions
UniFi Network Application (Official)10.1.85 and earlier10.1.89 or later
UniFi Network Application (Release Candidate)10.2.93 and earlier10.2.97 or later
UniFi Express (UX)Network App 9.0.114 and earlierUniFi OS Express 4.0.13 or later with Network App 9.0.118 or later

The release trail also lines up with Ubiquiti’s bulletin. Ubiquiti’s release pages show UniFi Network Application 10.1.89 and UniFi OS Express 4.0.13 published on March 17, 2026, and the Express release specifically notes that it bundles UniFi Network 9.0.118.

Why this matters

Many UniFi deployments sit deep inside business and prosumer networks, where the controller has visibility into access points, gateways, switches, users, and network policies. That does not automatically mean every environment is internet exposed, but it does mean a controller compromise can become a much larger operational problem than a typical app bug. This risk rises sharply if the management interface is reachable from untrusted networks.

The CVSS 10.0 rating on CVE-2026-22557 makes this especially urgent. NVD shows the CNA vector as AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, which signals remote exploitation with low complexity and no need for authentication or user action. In practical terms, that is the type of flaw defenders usually patch first and investigate immediately afterward.

What admins should do now

  • Update UniFi Network Application to 10.1.89 or later.
  • Update Release Candidate deployments to 10.2.97 or later.
  • Update UniFi Express to firmware 4.0.13 or later.
  • Restrict access to the UniFi management interface to trusted networks only.
  • Review firewall rules and VPN-only access policies for controller administration.
  • Check logs and admin accounts for unusual activity after patching.

Those extra hardening steps matter because Ubiquiti’s bulletin frames the most severe issue around network access, not broad public internet scanning alone. If an attacker can reach the management surface, the risk increases fast.

Quick risk summary

CVESeverityTypeAuthentication requiredPotential impact
CVE-2026-22557Critical, 10.0Path traversalNoAccess to sensitive files and possible underlying account compromise
CVE-2026-22558High, 7.7NoSQL injectionYes, low privilegesPrivilege escalation inside the app

FAQ

What is the most dangerous UniFi vulnerability in this disclosure?

CVE-2026-22557 is the most dangerous one. It is rated 10.0 and does not require authentication, according to the CNA metrics shown by NVD.

Do attackers need internet access to exploit these bugs?

The official wording focuses on network access. That means exposure depends on how your UniFi management interface is deployed and segmented. Public exposure increases risk, but internal exposure still matters.

Which UniFi versions fix the issue?

Ubiquiti points admins to UniFi Network Application 10.1.89 or later, Release Candidate 10.2.97 or later, and UniFi Express firmware 4.0.13 or later with Network App 9.0.118 or later.

Should businesses treat this as an emergency patch?

Yes. A CVSS 10.0 vulnerability in a network management platform deserves immediate attention, especially when the product controls infrastructure and admin workflows. That is the safest reading of the vendor advisory and the NVD metrics.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages