Introduction
A path traversal vulnerability in Ubiquiti's UniFi OS firmware allows a low privileged attacker on the local network to read arbitrary files from the underlying operating system of any affected console or gateway. For organizations running UniFi Dream Machines, Cloud Keys, NVRs, or any of the dozens of other UniFi OS powered devices as their central network management plane, this flaw quietly exposed configuration data, credential stores, and other sensitive system files to anyone with basic authenticated access.
Ubiquiti Inc. is an American technology company founded in 2003 that develops a broad portfolio of networking hardware and software, including access points, routers, switches, cameras, and physical access control devices. These products are managed centrally through UniFi OS, a proprietary operating system that runs on dedicated consoles and serves as the single management interface for entire network deployments. UniFi is widely adopted across small and medium businesses, managed service providers, and prosumer environments, making vulnerabilities in UniFi OS particularly impactful given the breadth of devices and networks it controls.
Technical Information
CVE-2026-34911 is a Path Traversal vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The flaw exists within UniFi OS, the firmware operating system that powers Ubiquiti's console and gateway hardware. At its core, the vulnerability allows an authenticated user to craft requests that escape the intended directory boundaries of the web interface, gaining read access to files on the underlying Linux based operating system.
Preconditions
Two conditions must be met for successful exploitation:
- Network access: The attacker must be able to reach the UniFi OS device over the network. This typically means being on the same LAN segment, though devices with management interfaces exposed to the internet would also be reachable.
- Low privileges: The attacker must hold some level of authenticated access to the UniFi OS device. The advisory specifies "low privileges," though the exact role or permission level required is not disclosed in the public materials.
Attack Flow
Based on the advisory description and the behavioral changes observed in the patched firmware, we can outline the general exploitation pattern:
- The attacker authenticates to the UniFi OS management interface with a low privilege account.
- The attacker crafts a request containing directory traversal sequences. Community analysis of the patch suggests that URL encoded forward slashes (
%2F) are central to the traversal technique, as the patched firmware specifically scans for%2Fpatterns in stored parameter data. - The traversal allows the attacker to escape the restricted web root and access files on the underlying system.
- The accessed files could include configuration data, credential material, or other sensitive information that could be leveraged for further attacks such as privilege escalation or lateral movement.
What the Patch Reveals
While the exact vulnerable endpoint is not publicly documented, the patched firmware (version 5.1.12 for most devices) provides some insight into the nature of the flaw. Community analysis revealed that the updated OS introduces a new MongoDB startup query that actively scans parameter fields for URL encoded path traversal sequences. Specifically, it searches for the %2F pattern (URL encoded forward slash) across parameters such as parameters.ADMIN.name. This scan runs at boot time and functions as a built in indicator of compromise detection mechanism, flagging any stored data that may have been injected via the traversal bug before the patch was applied.
This detail suggests that the traversal was not merely a file read primitive but may have involved injecting traversal payloads into stored parameters, potentially through the management API or configuration interface. The fact that the IoC check targets parameters.ADMIN.name specifically hints that the attack vector may have intersected with administrative account data.
Information Gaps
Current public sources and vendor advisories do not disclose the specific HTTP request patterns, the exact vulnerable endpoints within the UniFi OS interface, or the precise low privilege roles required to trigger the traversal. No proof of concept exploit code has been published.
Patch Information
Ubiquiti addressed CVE-2026-34911 through firmware updates across the entire UniFi OS device family, as documented in Security Advisory Bulletin 064, published on May 21, 2026. The vulnerability was reported by Hakai Security through Ubiquiti's HackerOne bug bounty program.
Since Ubiquiti's UniFi OS is closed source firmware, there are no public code commits or diffs available. The fix is delivered exclusively through firmware upgrades.
The fixed firmware versions vary by device category:
| Device Category | Affected Versions | Patched Version |
|---|---|---|
| Most UniFi OS devices (UDM, UDM Pro, UDM SE, UDM Pro Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR Pro, UNVR Instant, ENVR, UCG Ultra, UCG Max, UCG Fiber, UCG Industrial, UDR 5G, ENVR Core, UCKP, UCK, UCK Enterprise, UNVR G2, UNVR G2 Pro) | Various up to 5.0.17 / 5.1.11 | 5.1.12 |
| UniFi OS Server (Self Hosted) | 5.0.6 and earlier | 5.0.8 |
| Network Attached Storage (UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8) | 5.1.8 and earlier | 5.1.10 |
| UDM Beast | 5.1.8 and earlier | 5.1.11 |
Firmware updates can be obtained through the official Ubiquiti downloads portal.
As noted in the Technical Information section, the patched firmware includes a MongoDB startup query that scans for %2F patterns in stored parameter fields, serving as a post exploitation indicator of compromise check. Administrators who have applied the patch should monitor boot logs for any flags raised by this mechanism. Community discussion also recommends reviewing access logs for path traversal indicators like ..%2F to determine whether devices were compromised prior to patching.
Affected Systems and Versions
The following UniFi OS device families are affected. All versions prior to the listed patched version are vulnerable:
UniFi OS Consoles and Gateways (patched in 5.1.12):
- UniFi Dream Machine (UDM)
- UniFi Dream Machine Pro (UDM Pro)
- UniFi Dream Machine SE (UDM SE)
- UniFi Dream Machine Pro Max (UDM Pro Max)
- UniFi Dream Router (UDR)
- UniFi Dream Router 7 (UDR7)
- UniFi Dream Router 5G (UDR 5G)
- UniFi Dream Wall (UDW)
- UniFi Express 7
- UniFi Cloud Gateway Ultra (UCG Ultra)
- UniFi Cloud Gateway Max (UCG Max)
- UniFi Cloud Gateway Fiber (UCG Fiber)
- UniFi Cloud Gateway Industrial (UCG Industrial)
- UniFi Cloud Key Gen2 Plus (UCKP)
- UniFi Cloud Key (UCK)
- UniFi Cloud Key Enterprise (UCK Enterprise)
- UniFi NVR (UNVR)
- UniFi NVR Pro (UNVR Pro)
- UniFi NVR Instant (UNVR Instant)
- UniFi NVR G2 (UNVR G2)
- UniFi NVR G2 Pro (UNVR G2 Pro)
- ENVR
- ENVR Core
- EFG
UniFi OS Server, Self Hosted (patched in 5.0.8):
- Versions 5.0.6 and earlier
Network Attached Storage (patched in 5.1.10):
- UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8
- Versions 5.1.8 and earlier
UDM Beast (patched in 5.1.11):
- Versions 5.1.8 and earlier
Vendor Security History
Ubiquiti has faced multiple high severity vulnerabilities in its software ecosystem in 2026 alone. In March and May 2026, the vendor patched two significant flaws in the UniFi Network application:
- CVE-2026-22557: A maximum severity (CVSS 10.0) path traversal vulnerability that allowed network attackers to access system files and potentially take over user accounts.
- CVE-2026-22558: A CVSS 7.7 Authenticated NoSQL Injection vulnerability enabling privilege escalation.
The discovery of CVE-2026-34911 represents the third high severity or critical vulnerability in the UniFi ecosystem within a few months, and the second path traversal issue specifically. This pattern of recurring input validation failures within the UniFi software stack underscores the importance of maintaining rigorous patching schedules and monitoring Ubiquiti's security advisories closely.



