Introduction
A path traversal vulnerability in Ubiquiti's UniFi OS firmware allows an unauthenticated attacker on the network to read sensitive system files and leverage them to hijack an underlying account, earning a maximum CVSS score of 10.0. This is the second CVSS 10.0 path traversal flaw disclosed in Ubiquiti products in 2026, following CVE-2026-22557 in the UniFi Network Application just two months earlier, raising questions about systemic input validation weaknesses across the UniFi software stack.
Technical Information
CVE-2026-34909 is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The vulnerability resides within UniFi OS, the operating system that powers Ubiquiti's management consoles and networking appliances across a broad range of hardware platforms.
Attack Surface and Prerequisites
The attack requires only network access to the target device. According to the CVSS vector components, no authentication and no user interaction are required, placing this squarely in the category of unauthenticated remote exploitation. Given that UniFi OS consoles often serve as the central management plane for an organization's entire network infrastructure, the blast radius of a successful exploit is substantial.
Root Cause
The flaw stems from improper input validation related to file paths within the UniFi OS web or API layer. When processing requests that include file path parameters, the application fails to properly sanitize or restrict directory traversal sequences, allowing an attacker to escape the intended directory boundary and access arbitrary files on the underlying Linux based operating system.
Exploitation Flow
Based on the vendor advisory description, the exploitation proceeds through the following stages:
- The attacker identifies a UniFi OS device accessible on the network.
- The attacker crafts a request containing path traversal sequences (such as
../patterns) targeting a vulnerable endpoint on the device. - The device fails to properly sanitize or restrict the file path, allowing the attacker to read files outside the intended directory.
- The attacker accesses system files that contain or control account credentials or authentication material.
- The attacker manipulates or uses the accessed data to compromise an underlying account on the device, effectively gaining administrative control.
Impact
The result is a total loss of confidentiality, integrity, and availability. An attacker who gains administrative access to a UniFi OS console can reconfigure network infrastructure, intercept traffic, pivot to other network segments, or disable security controls entirely. The vulnerability was discovered and reported by Abdulaziz Almadhi of Catchify Security.
The specific files targeted during exploitation and the precise mechanism of account manipulation have not been disclosed by the vendor. Because UniFi OS is closed source firmware, no source level code analysis is publicly available.
Patch Information
Ubiquiti addressed CVE-2026-34909 through firmware updates released on May 21, 2026, as part of Security Advisory Bulletin 064. The bulletin, coordinated through HackerOne, covers this path traversal vulnerability alongside four other vulnerabilities fixed in the same release cycle. The fix is delivered entirely via firmware image updates; no source level code diffs are publicly available.
The patched firmware versions vary by device platform, reflecting the different release trains Ubiquiti maintains for its hardware lines:
| Device(s) | Vulnerable Versions | Fixed Version |
|---|---|---|
| UniFi OS Server | 5.0.6 and earlier | 5.0.8 |
| UDM Beast | 5.1.8 and earlier | 5.1.11 |
| UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8 | 5.1.8 and earlier | 5.1.10 |
| UNVR G2, UNVR G2 Pro | 5.1.11 and earlier | 5.1.12 |
| UDM, UDM Pro, UDM SE, UDM Pro Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR Pro, UNVR Instant, ENVR, UCG Ultra, UCG Max, UCG Fiber | 5.0.16 and earlier | 5.1.12 |
| UCG Industrial | 5.0.13 and earlier | 5.1.12 |
| UDR 5G, ENVR Core, UCKP, UCK, UCK Enterprise | 5.0.17 and earlier | 5.1.12 |
For most products, the version jump from vulnerable to patched is significant (e.g., from 5.0.16 to 5.1.12), indicating that the path traversal fix was landed in the 5.1.x development branch rather than backported to the older 5.0.x line. The exception is the standalone UniFi OS Server appliance, which received a targeted fix in 5.0.8.
Ubiquiti published dedicated release notes pages for each hardware family confirming the security fixes. Beyond patching, organizations should ensure that management interfaces for UniFi OS devices are strictly isolated on dedicated administrative networks to limit unauthorized network access.
Affected Systems and Versions
The vulnerability affects the entire UniFi OS device family. The following products running firmware versions at or below the listed thresholds are vulnerable:
- UniFi OS Server: versions 5.0.6 and earlier
- UDM Beast: versions 5.1.8 and earlier
- UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8: versions 5.1.8 and earlier
- UNVR G2, UNVR G2 Pro: versions 5.1.11 and earlier
- UDM, UDM Pro, UDM SE, UDM Pro Max, EFG, UDW, UDR, UDR7, Express 7: versions 5.0.16 and earlier
- UNVR, UNVR Pro, UNVR Instant, ENVR: versions 5.0.16 and earlier
- UCG Ultra, UCG Max, UCG Fiber: versions 5.0.16 and earlier
- UCG Industrial: versions 5.0.13 and earlier
- UDR 5G, ENVR Core, UCKP, UCK, UCK Enterprise: versions 5.0.17 and earlier
Any UniFi OS device exposed to a network where an attacker has access is at risk. The vulnerability requires no authentication and no user interaction.
Vendor Security History
CVE-2026-34909 is not an isolated incident for Ubiquiti. In March 2026, the company issued Security Advisory Bulletin 062 to patch CVE-2026-22557, another CVSS 10.0 path traversal flaw, this time in the UniFi Network Application, which also allowed potential account hijacking. The rapid succession of two maximum severity path traversal vulnerabilities within a three month window suggests systemic challenges with input validation across the UniFi software ecosystem.
To Ubiquiti's credit, the vendor has demonstrated quick turnaround times in releasing firmware patches and has maintained a coordinated disclosure process through HackerOne. However, the pattern warrants attention from organizations that rely heavily on UniFi infrastructure, particularly given the breadth of affected device families in this latest disclosure.
References
- CVE-2026-34909 on CVE.org
- Security Advisory Bulletin 064 (Ubiquiti Community)
- Security Advisory Bulletin 064 Discussion (Ubiquiti Community)
- Security Advisory Bulletin 064 (Reddit)
- UniFi OS Express 7 5.1.12 Release Notes
- UniFi OS Dream Machines 5.1.12 Release Notes
- UniFi OS Dream Routers 5.1.12 Release Notes
- Security Advisory Bulletin 062 (CVE-2026-22557)
- Critical Ubiquiti UniFi Security Flaw (Security Affairs)
- CVE-2026-22557 Analysis (Penligent)
- Ubiquiti (Wikipedia)



