ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-34908, a CVSS 10.0 Improper Access Control Flaw in UniFi OS Devices

A short review of CVE-2026-34908, a maximum severity improper access control vulnerability in Ubiquiti UniFi OS devices that allows network adjacent attackers to make unauthorized system changes. Includes patch details across all affected product lines.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-21

Brief Summary: CVE-2026-34908, a CVSS 10.0 Improper Access Control Flaw in UniFi OS Devices
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A maximum severity access control flaw in Ubiquiti's UniFi OS allows an unauthenticated, network adjacent attacker to make arbitrary unauthorized changes to the system, potentially compromising the entire managed infrastructure in one move. Because UniFi OS serves as the centralized management plane for enterprise networking gear, surveillance cameras, and physical access control systems, the blast radius of this vulnerability extends well beyond traditional IT boundaries into physical security.

Ubiquiti Inc. is an American technology company whose UniFi product line is widely deployed in small and medium businesses, enterprises, and managed service provider environments. The UniFi ecosystem encompasses access points, routers, switches, IP cameras, door locks, and VoIP phones, all administered through a single UniFi OS console. This centralization makes UniFi OS a high value target: compromising the console means compromising everything it manages.

Technical Information

CVE-2026-34908 is classified under CWE-284 (Improper Access Control). The official vendor description states that "a malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system." The critical detail here is that the attack requires only network access; no authentication, no valid session, and no prior credentials are needed.

The Role of UniFi OS as a Central Management Plane

UniFi OS runs on a range of hardware consoles (Dream Machines, Cloud Gateways, Cloud Keys, NVRs, NAS devices, and more) and provides a single pane of glass for configuring and administering all connected UniFi devices. This includes network infrastructure (access points, switches, routers), physical security (cameras, NVRs), and access control (smart locks). An attacker who gains the ability to make unauthorized system changes at the UniFi OS level effectively controls the entire managed environment.

Attack Surface and Vectors

The vulnerability is exploitable by any attacker with network adjacency to the UniFi OS management interface. In many deployments, this interface is accessible on the same VLAN as general corporate traffic or, in some cases, exposed to broader network segments. The attack does not require any form of authentication, which makes it particularly dangerous in environments where management interfaces are not properly segmented.

Community discussions indicate that Security Advisory Bulletin 064 patches a total of five vulnerabilities. Three of these carry CVSS 10.0 scores: CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. Community members have described these as unauthenticated Remote Code Execution capabilities, though this characterization comes from community analysis rather than the official advisory text. The bulletin also addresses CVE-2026-33000, which carries a CVSS base score of 9.1. Community members have identified input validation, access control, and path traversal as the attack vectors associated with this release.

Limitations of Available Technical Detail

The exact exploitation mechanics, the specific code paths involved, and the precise internal mechanisms of the access control bypass are not detailed in the available advisory summaries. Because UniFi OS is closed source firmware, no source code diff or commit level patch is publicly available for independent analysis. Security teams should consult the full release notes on the vendor portal to map the exact affected assets in their environment.

Patch Information

Ubiquiti addressed CVE-2026-34908 through a coordinated set of firmware updates released on May 21, 2026, as documented in Security Advisory Bulletin 064. The fix is delivered entirely via binary firmware updates that must be applied through the Ubiquiti device management interface. The UniFi OS Cloud Gateways 5.1.12 release notes explicitly confirm the fix, noting it "Fixed the security issues mentioned in Security Advisory Bulletin 064."

The patched firmware versions vary by product line:

Product GroupVulnerable VersionsFixed Version
UniFi OS Server5.0.6 and earlier5.0.8 or later
UCG Industrial5.0.13 and earlier5.1.12 or later
UDM, UDM Pro, UDM SE, UDM Pro Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR Pro, UNVR Instant, ENVR, UCG Ultra, UCG Max, UCG Fiber5.0.16 and earlier5.1.12 or later
UDR 5G, ENVR Core, UCKP, UCK, UCK Enterprise5.0.17 and earlier5.1.12 or later
UNVR G2, UNVR G2 Pro5.1.11 and earlier5.1.12 or later
UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 85.1.8 and earlier5.1.10 or later
UDM Beast5.1.8 and earlier5.1.11 or later

A few details worth calling out. The fix version is not uniform across all product families. The UniFi OS Server branch uses version 5.0.8 while the UNAS series lands on 5.1.10 and the UDM Beast is patched at 5.1.11. This reflects divergent firmware branches across Ubiquiti's hardware portfolio, and administrators must match the correct update to each device model they operate.

The CVE record on cve.org (managed by CNA HackerOne) enumerates all affected product versions with a default status of "unaffected," meaning versions from 0 to the fixed version boundary are marked as affected, and anything at or above the fixed version is considered safe.

Ubiquiti published dedicated release pages for each product category firmware update. The advisory linked twelve separate firmware release pages covering Cloud Gateways, Dream Machines, Dream Routers, Express 7, NAS, Enterprise NVRs, NVRs, Cloud Keys, Enterprise Fortress Gateway, Dream Wall, Dream Machine Beast, and the UniFi OS Server itself. The update is being rolled out gradually, so not all devices may see the update immediately in their management console.

Until patches are applied, organizations should restrict management interface access to trusted administrative VLANs or dedicated management networks to reduce the immediate attack surface. The available vendor documentation does not specify any temporary workarounds or configuration changes that can mitigate the flaw without applying the firmware patch.

Affected Systems and Versions

All UniFi OS devices running firmware below the fixed versions listed above are affected. The specific product families and their vulnerable version ranges are:

  • UniFi OS Server: versions 5.0.6 and earlier
  • UCG Industrial: versions 5.0.13 and earlier
  • UDM, UDM Pro, UDM SE, UDM Pro Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR Pro, UNVR Instant, ENVR, UCG Ultra, UCG Max, UCG Fiber: versions 5.0.16 and earlier
  • UDR 5G, ENVR Core, UCKP, UCK, UCK Enterprise: versions 5.0.17 and earlier
  • UNVR G2, UNVR G2 Pro: versions 5.1.11 and earlier
  • UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8: versions 5.1.8 and earlier
  • UDM Beast: versions 5.1.8 and earlier

The vulnerability affects all firmware versions from the first release through the version boundaries listed above. Any device running firmware at or above the fixed version for its product family is considered safe.

Vendor Security History

Ubiquiti has a notable security history that provides relevant context. In 2021, the company experienced a highly publicized security incident that was later revealed to be an insider threat. Nikolas Sharp, a former cloud lead for the company, misused his administrative access to steal gigabytes of confidential data and subsequently attempted to extort the company for approximately $2 million. When the ransom was not paid, Sharp posed as an anonymous whistleblower and planted damaging news stories claiming the theft was due to a vulnerability in the company's systems. This incident caused Ubiquiti's stock to fall 20 percent, resulting in a market capitalization loss exceeding $4 billion.

This historical context is relevant because it demonstrates the severe impact that trusted network access (whether from insiders or external attackers exploiting access control flaws) can have on Ubiquiti infrastructure and the organizations that depend on it.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization