Ubiquiti Patches Maximum-Severity UniFi OS Command Injection Flaw

Ubiquiti shipped fixes for seven critical UniFi OS vulnerabilities, including CVE-2026-50746, an unauthenticated CVSS 10.0 command injection bug reachable by any device on the same network segment.

Vulnerability Tools

Ubiquiti released security updates addressing seven critical vulnerabilities spanning UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS. The most severe, CVE-2026-50746, carries the maximum CVSS score of 10.0: an improper access control flaw in UniFi Connect Application (3.4.16 and earlier) that lets any attacker on the same network segment send a single crafted request and achieve arbitrary command execution on the host, without authentication.

Two related flaws, CVE-2026-54402 and CVE-2026-50748, are improper input validation bugs in UniFi OS and UniFi Access respectively, both rated CVSS 9.9 and both exploitable by an attacker with network access to trigger command injection on the host device.

Threat intelligence firm Censys reports more than 100,000 UniFi OS instances exposed to the internet, nearly half of them in the United States. No confirmed exploitation has been reported so far, but the combination of no-authentication-required and network-adjacency-only makes this class of bug attractive for automated scanning once technical details circulate.

UniFi Connect 3.4.20 resolves CVE-2026-50746; Ubiquiti has published fixes for the remaining six flaws across the affected product lines. Patch all UniFi devices now rather than staggering the rollout, and don’t assume network segmentation alone is sufficient — verify that management interfaces for these products aren’t reachable from guest, IoT, or other untrusted VLANs.

Why it matters: Confirm your UniFi Connect, Access, Protect, Talk, and OS deployments are on the patched builds — CVE-2026-50746 needs no authentication and no more than network adjacency, which describes most guest or IoT VLANs that share a segment with management infrastructure.

Read source →