Ubiquiti Discloses 25 UniFi Vulnerabilities, Including Critical Flaws Rated 10.0 and 9.9
Ubiquiti has disclosed 25 security vulnerabilities across its UniFi ecosystem, including several critical flaws that could let network-based attackers execute commands, escalate privileges, bypass access controls, or make unauthorized changes to affected devices.
The issues were published in Security Advisory Bulletin 066, which covers UniFi Connect, Talk, Access, Network, Protect, Protect Floodlight, and UniFi OS devices. Ubiquiti’s main mitigation is direct: install the fixed versions listed for each affected product.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The most severe flaw is CVE-2026-50746, a CVSS 10.0 issue in UniFi Connect Application 3.4.16 and earlier. It can allow a malicious actor with network access to exploit improper access control and execute command injection on the host device.
Which UniFi products need updates?
The advisory affects both UniFi applications and UniFi OS-based hardware families. That includes gateways, Dream Machine devices, network video recorders, network attached storage products, and UniFi OS Server deployments.
BleepingComputer reported that Ubiquiti patched seven critical vulnerabilities in this release, including one maximum-severity flaw and six more critical issues across UniFi Talk, UniFi Access, UniFi Protect, UniFi OS Server, and related device families.
Admins should not assume that updating only one UniFi component is enough. The bulletin covers multiple apps, and many environments run several of them on the same UniFi OS console or server.
| Affected product | Vulnerable version | Fixed version |
|---|---|---|
| UniFi Connect Application | 3.4.16 and earlier | 3.4.20 or later |
| UniFi Talk Application | 5.1.2 and earlier | 5.2.2 or later |
| UniFi Access Application | 4.2.28 and earlier | 4.2.29 or later |
| UniFi Network Application | 10.3.58 and earlier | 10.4.57 or later |
| UniFi Protect Application | 7.1.77 and earlier | 7.1.83 or later |
| UniFi Protect Floodlight | 1.13.4 and earlier | 1.13.6 or later |
| UniFi OS | Versions before 5.1.19 across affected families | 5.1.19 or later |
The most severe vulnerabilities in Bulletin 066
The critical set includes command injection, SQL injection, server-side request forgery, improper access control, and privilege escalation flaws. Several require only network access and low privileges, while CVE-2026-50746 requires no privileges according to its CVSS vector.
CVE-2026-50747 affects UniFi Talk Application and involves authenticated SQL injection that can let a low-privileged network attacker escalate privileges on the host device. CVE-2026-50748 affects UniFi Access Application and can allow command injection through improper input validation.
UniFi Protect also has a critical SSRF issue. CVE-2026-55115 is rated 9.9 and can let a low-privileged attacker escalate privileges on the host device through UniFi Protect Application 7.1.77 and earlier.
| CVE | Product | Issue type | CVSS | Fixed version |
|---|---|---|---|---|
| CVE-2026-50746 | UniFi Connect | Improper access control leading to command injection | 10.0 | 3.4.20 or later |
| CVE-2026-50747 | UniFi Talk | Authenticated SQL injection | 9.9 | 5.2.2 or later |
| CVE-2026-50748 | UniFi Access | Improper input validation leading to command injection | 9.9 | 4.2.29 or later |
| CVE-2026-54402 | UniFi OS | Improper input validation leading to command injection | 9.9 | 5.1.19 or later |
| CVE-2026-55115 | UniFi Protect | Server-side request forgery | 9.9 | 7.1.83 or later |
| CVE-2026-55116 | UniFi OS devices | Improper access control | 9.0 | 5.1.19 or later |
Why UniFi OS flaws should get priority
UniFi OS flaws deserve special attention because they affect core device platforms rather than only one application. A compromised UniFi OS device can put network management, cameras, storage, access control, and gateway functions at risk depending on the deployment.
One of the most important entries is CVE-2026-54403, a path traversal vulnerability in UniFi OS. NVD describes it as a network-exploitable flaw that can let an attacker bypass authentication on affected UniFi OS devices or instances.
Another critical UniFi OS issue is CVE-2026-55116. It can allow a malicious actor with network access, under certain network configurations, to make unauthorized changes to affected UniFi OS devices.
- Patch UniFi OS systems first if they expose management functions to untrusted networks.
- Update UniFi Connect quickly because CVE-2026-50746 carries a 10.0 severity score.
- Review UniFi Protect deployments because multiple high and critical issues affect Protect.
- Update UniFi Network, Talk, and Access even if they are only used by internal staff.
- Confirm that cloud gateways, NVRs, NAS devices, and self-hosted UniFi OS Server instances are all covered.
Authentication bypass and chainable flaws raise the risk
Some of the vulnerabilities look especially dangerous because they can support chained attacks. In practice, a flaw that bypasses authentication can make other flaws easier to exploit, even when those other flaws normally require privileges.
That is why the UniFi OS path traversal issue matters. A network-accessible authentication bypass can shift the risk profile of nearby vulnerabilities in the same environment.
The concern is not theoretical for UniFi administrators. BleepingComputer noted that Censys was tracking more than 100,000 internet-exposed UniFi OS instances, although historical scan data may not show how many remain exposed or unpatched at any specific moment.
| Risk factor | Why it matters |
|---|---|
| Network-exploitable bugs | Attackers may not need local device access. |
| Low-privilege exploitation | A weak user account can become a path to host compromise. |
| Authentication bypass | Other vulnerabilities may become easier to reach. |
| Command injection | Attackers may execute operating system commands on the host. |
| Internet-exposed management interfaces | Exposed devices face a larger scanning and exploitation surface. |
Protect, Network, Talk, and Access also need attention
UniFi Protect has several high-impact flaws in the bulletin, including improper access control, improper initialization, SSRF, and SQL injection issues. These are important because Protect often manages cameras, recordings, device streams, and related infrastructure.
The CVE-2026-55115 record confirms that affected UniFi Protect versions before 7.1.83 can allow privilege escalation through SSRF. UniFi Protect also has a high-severity SQL injection issue tracked as CVE-2026-56841.
The advisory also affects UniFi Network Application 10.3.58 and earlier, UniFi Talk Application 5.1.2 and earlier, and UniFi Access Application 4.2.28 and earlier. These applications should be patched even when they are not reachable from the public internet.
What admins should do now
Ubiquiti did not list temporary workarounds for the 25 entries. The practical fix is to update each affected product to the listed fixed version or later through normal UniFi update channels.
Admins should use Ubiquiti’s advisory as the authoritative checklist, then confirm versions across all consoles, self-hosted servers, applications, gateways, NVRs, and NAS devices.
For UniFi Connect, the CVE-2026-50746 entry confirms that versions before 3.4.20 are affected. For UniFi OS devices, CVE-2026-55116 reinforces why admins should move affected systems to UniFi OS 5.1.19 or later.
- Inventory every UniFi OS console, UniFi OS Server instance, and hosted UniFi application.
- Update UniFi Connect to 3.4.20 or later.
- Update UniFi Talk to 5.2.2 or later.
- Update UniFi Access to 4.2.29 or later.
- Update UniFi Network Application to 10.4.57 or later.
- Update UniFi Protect to 7.1.83 or later and Protect Floodlight to 1.13.6 or later.
- Update UniFi OS systems to 5.1.19 or later.
- Restrict management interfaces to trusted networks and VPNs after patching.
- Review admin accounts, API access, and recent configuration changes for signs of abuse.
Bottom line
Ubiquiti’s Bulletin 066 is not a routine patch note. It covers 25 security issues across major UniFi applications and core UniFi OS devices, including critical vulnerabilities that can lead to command injection, privilege escalation, SSRF, and unauthorized configuration changes.
The update priority is clear: patch exposed and management-facing UniFi systems first, then verify every UniFi application version across the environment. With several flaws rated critical and no listed workarounds, delaying updates increases the chance that vulnerable UniFi devices become easy targets for network-based attackers.
FAQ
Ubiquiti Security Advisory Bulletin 066 is a July 2026 advisory covering 25 vulnerabilities across UniFi Connect, Talk, Access, Network, Protect, Protect Floodlight, and UniFi OS products.
The most severe issue is CVE-2026-50746, a CVSS 10.0 flaw in UniFi Connect Application 3.4.16 and earlier. It can allow command injection on the host device through improper access control.
Fixed versions include UniFi Connect 3.4.20 or later, UniFi Talk 5.2.2 or later, UniFi Access 4.2.29 or later, UniFi Network 10.4.57 or later, UniFi Protect 7.1.83 or later, Protect Floodlight 1.13.6 or later, and UniFi OS 5.1.19 or later.
Ubiquiti’s bulletin lists updates as the mitigation for the vulnerabilities. Administrators should install the fixed versions and also restrict management interfaces to trusted networks.
UniFi OS devices can host core management, gateway, surveillance, and storage functions. Several UniFi OS vulnerabilities in the advisory can support authentication bypass, command injection, privilege escalation, or unauthorized configuration changes.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages