Ubiquiti published Security Advisory Bulletin 066 disclosing 25 vulnerabilities spanning nearly its entire UniFi product line — network management, physical access control, video surveillance, VoIP, and the core UniFi OS platform itself. The headline flaw, CVE-2026-50746, is a perfect CVSS 10.0: unauthenticated, network-reachable command injection in the UniFi Connect Application. Censys estimates roughly 100,000 UniFi OS endpoints are directly reachable from the public internet, making this one of the broadest high-severity patch windows Ubiquiti has shipped this year. No exploitation has been reported yet, but the combination of severity and exposure means that window won’t stay quiet for long.
This is a distinct advisory from the SAB-064 Nginx-bypass-to-root-RCE chain in UniFi OS Server (CVE-2026-34908/09/10) that CISA added to KEV in June — different CVEs, different components, same vendor having a rough few months.
The vulnerabilities that matter
| CVE | Component | CVSS | Type |
|---|---|---|---|
| CVE-2026-50746 | UniFi Connect Application | 10.0 | Improper access control → unauthenticated command injection |
| CVE-2026-50747 | UniFi Talk | 9.9 | Authenticated SQL injection chain → privilege escalation |
| CVE-2026-50748 | UniFi Access | 9.9 | Improper input validation → command injection |
| CVE-2026-55115 | UniFi Protect | 9.9 | SSRF → privilege escalation |
| CVE-2026-54402 | UniFi OS | 9.9 | Improper input validation → command injection |
| CVE-2026-54403 | UniFi OS | 8.6 | Path traversal (chainable to bypass low-privilege requirement) |
CVE-2026-50746 is the one to fix first. A network-adjacent, unauthenticated attacker with no user interaction reaches the UniFi Connect Application’s device-management API and injects shell commands that execute on the host with elevated privileges — the textbook profile for internet-wide mass scanning the moment a public PoC lands. It affects UniFi Connect Application 3.4.16 and earlier; the fix is in 3.4.20.
The rest of the bulletin isn’t filler. CVE-2026-50747 chains a series of authenticated SQL injection points in UniFi Talk (5.1.2 and earlier, fixed in 5.2.2) into privilege escalation on the host device. CVE-2026-50748 gives command injection in UniFi Access, the physical door-control product — a bug here has real-world consequences beyond data loss. CVE-2026-55115 uses SSRF in UniFi Protect (7.1.77 and earlier, fixed in 7.1.83) to pivot into privileged internal services, relevant to anyone running Protect’s video infrastructure with cloud or third-party integrations. And in UniFi OS itself, CVE-2026-54402 (5.1.15 and earlier, fixed in 5.1.19) is command injection reachable by any network-adjacent attacker, while Ubiquiti explicitly flags CVE-2026-54403 — an 8.6 path-traversal bug — as chainable with the others to bypass the low-privilege precondition entirely. Treat that pairing as a de facto unauthenticated path into whatever it’s chained with.
Why the exposure number matters
UniFi’s whole value proposition is centralized management of a site’s networking, access control, and video stack from one console — usually a UDM, UNVR, or UNAS appliance sitting at the network edge. That’s exactly the kind of device that ends up internet-facing for remote management convenience, and Censys’s ~100,000-endpoint figure lines up with what’s historically been seen scanning for prior UniFi OS bugs. A CVSS 10.0 with that reach is a mass-exploitation setup, not a niche enterprise risk — small business deployments with a Dream Machine exposed for remote admin are just as much a target as large multi-site environments.
Mitigation
- Patch now, in priority order: UniFi Connect Application → 3.4.20+, UniFi OS → 5.1.19+, UniFi Talk → 5.2.2+, UniFi Protect → 7.1.83+, UniFi Access → check the console for the current fixed build. All updates are delivered via the UniFi OS console (Settings → Updates).
- Pull management interfaces off the public internet. None of these products should have their admin console or API directly reachable from WAN. Put remote management behind a VPN or restrict source IPs at the firewall — this single control neutralizes the entire bulletin regardless of patch timing.
- Prioritize UniFi Access if you run physical door control. CVE-2026-50748 has consequences beyond data or network compromise; verify your Access controllers are patched and not internet-exposed before anything else on this list.
- Watch for the chained path-traversal bug. If you’re triaging by CVSS alone, CVE-2026-54403 at 8.6 looks lower priority than it is — Ubiquiti’s own advisory calls out that it removes the low-privilege precondition on other bugs in the bulletin.
- Audit for prior compromise on any UniFi appliance that’s been internet-facing: check for unexpected admin accounts, modified firewall rules, unfamiliar processes, and outbound connections to non-Ubiquiti infrastructure.
References
- Ubiquiti Community: Security Advisory Bulletin 066
- The Hacker News: Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS
- SecurityAffairs: Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation
- TechTimes: UniFi CVSS 10.0 Flaw Exposes 100,000 Endpoints to Unauthenticated Takeover
- CyberSecurityNews: Ubiquiti Disclosed 25 Security Vulnerabilities Across the UniFi Ecosystem
- Field Effect: Ubiquiti patches multiple critical vulnerabilities in UniFi products
- The Cyber Express: CVE-2026-50746 — Ubiquiti Fixes Critical UniFi OS Flaws