VULNERABILITY OVERVIEW
CVE-2026-34910 (improper input validation / command injection, CWE-20) is the payload stage of a three-CVE chain (with CVE-2026-34908 access-control bypass and CVE-2026-34909 path traversal) that enables a fully unauthenticated attacker with network access to achieve root-level remote code execution on any UniFi OS device. BishopFox confirmed the full chain against a live 5.0.6 target; the attack works by abusing an NGINX auth-bypass via encoded URI paths, then injecting shell metacharacters into an unsanitized package-update endpoint. CISA added all three CVEs to KEV on June 23, 2026 with a 3-day federal remediation deadline; active exploitation is confirmed in the wild with public PoC code available on GitHub.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
CHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
All UniFi OS devices prior to UniFi OS Server 5.0.8, firmware 5.1.12 (Express 4.0.14, UNAS 5.1.10, UDM-Beast 5.1.11)CITATIONS
- → https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- → https://www.cisa.gov/news-events/alerts/2026/06/23/cisa-adds-four-known-exploited-vulnerabilities-catalog
- → https://www.securityweek.com/critical-ubiquiti-vulnerabilities-in-attackers-crosshairs/
- → https://beazley.security/alerts-advisories/critical-vulnerability-in-ubiquiti-network-application-under-active-exploitation-cve-2026-34908-cve-2026--34909-cve-2026-34910