Ubiquiti Releases Critical Security Updates for UniFi Products

Ubiquiti has recently issued critical security updates to address multiple vulnerabilities across its UniFi product line, including UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS. These flaws, if exploited, could lead to privilege escalation and arbitrary command execution on affected devices.

The most severe of these vulnerabilities is CVE-2026-50746, which has been assigned a CVSS score of 10.0. This flaw resides in the UniFi Connect Application versions 3.4.16 and earlier. An attacker with network access could exploit this improper access control vulnerability to execute command injections on the host device. Users are advised to update to version 3.4.20 or later to mitigate this risk.

Another critical issue, CVE-2026-50747, affects UniFi Talk Application versions 5.1.2 and earlier. This series of authenticated SQL injection vulnerabilities, with a CVSS score of 9.9, could allow an attacker with network access to escalate privileges on the host device. The recommended fix is to upgrade to version 5.2.2.

UniFi Access Application versions 4.2.28 and earlier are impacted by CVE-2026-50748, an improper input validation vulnerability with a CVSS score of 9.9. Exploitation could lead to command injection on the host device. Users should update to version 4.2.29 to address this issue.

Additionally, CVE-2026-54400, affecting the same versions of UniFi Access Application, has a CVSS score of 9.1. This improper access control vulnerability could enable privilege escalation on the host device. The fix is included in version 4.2.29.

UniFi Protect Application versions 7.1.77 and earlier are susceptible to CVE-2026-55115, a Server-Side Request Forgery (SSRF) vulnerability with a CVSS score of 9.9. An attacker with network access and low privileges could exploit this to escalate privileges. Updating to version 7.1.83 is recommended.

UniFi OS versions 5.1.15 and earlier contain CVE-2026-54402, an improper input validation vulnerability with a CVSS score of 9.9. This flaw could allow command injection on the host device. Users should upgrade to version 5.1.19.

Lastly, CVE-2026-55116, also affecting UniFi OS versions 5.1.15 and earlier, has a CVSS score of 9.0. This improper access control vulnerability could permit unauthorized changes to certain devices. The issue is resolved in version 5.1.19.

While there is currently no evidence of these vulnerabilities being exploited in the wild, it’s crucial for users to apply these updates promptly to secure their systems. Notably, previous vulnerabilities in UniFi OS have been exploited in real-world attacks, underscoring the importance of timely patching.

Ubiquiti’s swift response in releasing these patches highlights the ongoing challenges in securing network infrastructure. As cyber threats continue to evolve, it’s imperative for organizations to maintain vigilance and ensure their systems are up-to-date to mitigate potential risks.