Ubiquiti has disclosed two vulnerabilities in its UniFi Network Application, the management plane for UniFi access points, gateways, and switches deployed across thousands of enterprise and prosumer networks. The worst of the pair — CVE-2026-22557 — carries a perfect CVSS 10.0 and allows an unauthenticated, remote attacker to take over any account on the controller through a path traversal primitive.
This is Ubiquiti’s third maximum-severity flaw in the UniFi ecosystem in under a year.
What happened
On March 18, 2026, Ubiquiti published Security Advisory Bulletin 062 disclosing two flaws in the UniFi Network Application:
| CVE | Type | CVSS | Auth required |
|---|---|---|---|
| CVE-2026-22557 | Path traversal | 10.0 | No |
| CVE-2026-22558 | NoSQL injection | 7.7 | Yes |
CVE-2026-22557 affects all versions of the UniFi Network Application through 10.1.85. The path traversal allows an unauthenticated remote attacker to read arbitrary files accessible to the application process. By manipulating file paths, an attacker can reach database configuration files, credential stores, and access token files — enough to hijack any user session or account on the controller.
The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H — network-accessible, low complexity, no privileges, no user interaction, and cross-scope impact on confidentiality, integrity, and availability.
CVE-2026-22558 is a companion NoSQL injection vulnerability rated CVSS 7.7 that allows an authenticated attacker to escalate privileges within the application. On its own it requires valid credentials, but chained with CVE-2026-22557 it creates a full kill chain: unauthenticated initial access via the path traversal, then privilege escalation to administrative control through the injection.
Why this matters
The UniFi Network Application is the central management plane for Ubiquiti’s networking gear. Compromising it means an attacker can:
- Reconfigure network infrastructure — modify firewall rules, VLANs, and routing to enable lateral movement or persistent access
- Push malicious firmware to managed access points and switches
- Harvest credentials from the controller’s stored site configurations, including WPA keys, RADIUS secrets, and VPN credentials
- Pivot into internal networks using the controller’s privileged position
Many UniFi controllers are self-hosted on Linux boxes or Windows servers inside the network perimeter, but a non-trivial number are internet-facing. Censys and Shodan queries for the default UniFi controller ports (8443/tcp, 8080/tcp) consistently return tens of thousands of exposed instances. Matthew Guidry, senior product detection engineer at Censys, noted that while no public proof-of-concept exploits or confirmed exploitation have been observed yet, the technical bar for exploiting a path traversal is significantly lower than memory corruption bugs.
This is the third CVSS 10.0 flaw Ubiquiti has disclosed in the UniFi product line within the past year, raising questions about the maturity of their secure development lifecycle for the management plane.
Who is affected
- Any organization running UniFi Network Application version 10.1.85 or earlier
- Self-hosted and cloud-hosted deployments are both in scope
- All operating systems (Linux, Windows, macOS) running the application
What to do right now
Upgrade immediately to UniFi Network Application 10.1.89 or later, which patches both CVE-2026-22557 and CVE-2026-22558.
Audit controller exposure. If your UniFi controller is reachable from the internet on ports 8443 or 8080, restrict access to a VPN or management VLAN immediately. There is no reason for the controller web UI to be internet-facing.
Rotate credentials. If you were running a vulnerable version with any internet exposure, assume compromise and rotate:
- UniFi controller admin passwords
- Site WiFi passwords and RADIUS secrets stored in the controller
- Any VPN credentials configured through the controller
- SSH keys for managed devices
Review controller logs for anomalous file access patterns or unexpected authentication events. Look for unusual API requests to paths outside the expected application routes.
Check for unauthorized configuration changes on managed devices — rogue firewall rules, unexpected SSIDs, modified VLAN assignments, or firmware versions that don’t match your baseline.
Advisories and references
- Ubiquiti Security Advisory Bulletin 062 — vendor advisory
- CyCognito: Emerging Threat Analysis — CVE-2026-22557
- CyberScoop: Ubiquiti defect poses account takeover risk
- BleepingComputer: Max severity Ubiquiti UniFi flaw
Credit: Discovered by security researcher n00r3 (@izn0u).