Ubiquiti warns of new max severity UniFi OS vulnerability
Ubiquiti has released security updates addressing seven critical vulnerabilities in UniFi OS, including a maximum-severity command injection flaw (CVE-2026-50746) in the UniFi Connect Application. This vulnerability allows a malicious actor with network access to execute commands on the host device due to improper access control. Additional critical vulnerabilities affect UniFi Talk, UniFi Access, UniFi Protect applications, UniFi OS Server, and various Ubiquiti routers and devices. Ubiquiti advises updating UniFi Connect to version 3.4.20 or later to mitigate the command injection risk. No confirmed exploitation in the wild has been reported yet. The vulnerabilities can be exploited with low complexity and without user interaction, increasing their risk. The affected software is widely deployed, with many instances exposed online, particularly in the United States.
AI Analysis
Technical Summary
Ubiquiti disclosed seven critical vulnerabilities in UniFi OS products, including CVE-2026-50746, a maximum-severity command injection vulnerability in UniFi Connect Application versions 3.4.16 and earlier. This flaw arises from improper access control, enabling attackers with network access to execute arbitrary commands on the host. Ubiquiti patched this by releasing UniFi Connect version 3.4.20. Additional critical vulnerabilities (CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-54402, CVE-2026-55115, CVE-2026-55116) affect other UniFi OS components and devices. These vulnerabilities can be exploited with low complexity and do not require user interaction. While no active exploitation has been confirmed, the widespread exposure of UniFi OS instances online, especially in the US, raises concern. Ubiquiti recommends immediate patching to secure affected systems.
Potential Impact
Successful exploitation of CVE-2026-50746 allows an attacker with network access to execute arbitrary commands on the host device, potentially leading to full system compromise. The other six critical vulnerabilities similarly pose significant risks across UniFi OS applications and devices. The low complexity of exploitation and lack of required user interaction increase the likelihood and ease of attacks. Compromised devices could be used for malicious purposes such as botnets or espionage. The widespread exposure of vulnerable UniFi OS instances online amplifies the potential impact.
Mitigation Recommendations
Ubiquiti has released official patches addressing these vulnerabilities. Users must update the UniFi Connect Application to version 3.4.20 or later to remediate the command injection vulnerability (CVE-2026-50746). Additionally, patches are available for UniFi Talk, UniFi Access, UniFi Protect applications, UniFi OS Server, and other affected devices. Applying these updates promptly is the recommended mitigation. There is no indication that these vulnerabilities are already mitigated or require no action. Organizations should verify that all UniFi OS instances are updated to the fixed versions to prevent exploitation.
Ubiquiti warns of new max severity UniFi OS vulnerability
Description
Ubiquiti has released security updates addressing seven critical vulnerabilities in UniFi OS, including a maximum-severity command injection flaw (CVE-2026-50746) in the UniFi Connect Application. This vulnerability allows a malicious actor with network access to execute commands on the host device due to improper access control. Additional critical vulnerabilities affect UniFi Talk, UniFi Access, UniFi Protect applications, UniFi OS Server, and various Ubiquiti routers and devices. Ubiquiti advises updating UniFi Connect to version 3.4.20 or later to mitigate the command injection risk. No confirmed exploitation in the wild has been reported yet. The vulnerabilities can be exploited with low complexity and without user interaction, increasing their risk. The affected software is widely deployed, with many instances exposed online, particularly in the United States.
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Ubiquiti disclosed seven critical vulnerabilities in UniFi OS products, including CVE-2026-50746, a maximum-severity command injection vulnerability in UniFi Connect Application versions 3.4.16 and earlier. This flaw arises from improper access control, enabling attackers with network access to execute arbitrary commands on the host. Ubiquiti patched this by releasing UniFi Connect version 3.4.20. Additional critical vulnerabilities (CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-54402, CVE-2026-55115, CVE-2026-55116) affect other UniFi OS components and devices. These vulnerabilities can be exploited with low complexity and do not require user interaction. While no active exploitation has been confirmed, the widespread exposure of UniFi OS instances online, especially in the US, raises concern. Ubiquiti recommends immediate patching to secure affected systems.
Potential Impact
Successful exploitation of CVE-2026-50746 allows an attacker with network access to execute arbitrary commands on the host device, potentially leading to full system compromise. The other six critical vulnerabilities similarly pose significant risks across UniFi OS applications and devices. The low complexity of exploitation and lack of required user interaction increase the likelihood and ease of attacks. Compromised devices could be used for malicious purposes such as botnets or espionage. The widespread exposure of vulnerable UniFi OS instances online amplifies the potential impact.
Mitigation Recommendations
Ubiquiti has released official patches addressing these vulnerabilities. Users must update the UniFi Connect Application to version 3.4.20 or later to remediate the command injection vulnerability (CVE-2026-50746). Additionally, patches are available for UniFi Talk, UniFi Access, UniFi Protect applications, UniFi OS Server, and other affected devices. Applying these updates promptly is the recommended mitigation. There is no indication that these vulnerabilities are already mitigated or require no action. Organizations should verify that all UniFi OS instances are updated to the fixed versions to prevent exploitation.
Threat ID: 6a4e0a26c9d9e3dbe3c1599b
Added to database: 07/08/2026, 08:28:22 UTC
Last enriched: 07/08/2026, 08:28:33 UTC
Last updated: 07/08/2026, 10:20:42 UTC
Views: 50
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.