ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-47368 Path Traversal in Ubiquiti UniFi OS and Its Role in a Five CVE Bulletin

A short review of CVE-2026-47368, a high severity path traversal vulnerability in Ubiquiti UniFi OS that enables network adjacent attackers to read sensitive data from affected devices. Includes patch details across multiple device families and context on vulnerability chaining with four other CVEs in the same advisory.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-11

Brief Summary: CVE-2026-47368 Path Traversal in Ubiquiti UniFi OS and Its Role in a Five CVE Bulletin
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Ubiquiti's UniFi OS just received its third major security bulletin in under three months, and this one bundles five CVEs together, including a path traversal flaw that lets a network adjacent attacker read arbitrary files from affected devices. CVE-2026-47368 scores 8.6 on NVD (9.9 per Ubiquiti's own assessment) and sits alongside command injection and privilege escalation vulnerabilities that, when chained, could lead to complete device compromise.

Technical Information

Root Cause: CWE-22 Path Traversal

CVE-2026-47368 falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The vulnerability resides in the UniFi OS application layer, where insufficient input validation on file path parameters allows an attacker to inject directory traversal sequences (such as ../) into requests. This enables the attacker to escape the intended directory boundary and read arbitrary files on the underlying filesystem of the UniFi OS device.

The official NVD description states: "A malicious actor with access to the network could exploit a Path Traversal vulnerability found in certain devices running UniFi OS to obtain data from such UniFi OS devices or instances."

Because UniFi OS is closed source firmware, no source level diff or vulnerable code snippet is publicly available. The fix is delivered exclusively through official firmware images.

Attack Vector and Prerequisites

The attack requires network adjacency: the attacker must be on the same local network segment as the UniFi OS device or have a route to its management interface. This is a meaningful constraint compared to the Bulletin 064 vulnerabilities, which were WAN exploitable. Community discussion on Reddit confirms that Bulletin 065 vulnerabilities require local network access and have "no remote execution."

However, the advisory explicitly notes a critical detail: this CVE can be chained with other vulnerabilities to eliminate the requirement for low privileged access. This means that in combination with the four other CVEs in Bulletin 065 (CVE-2026-47367, CVE-2026-47369, CVE-2026-47370, CVE-2026-48610), the effective attack surface may be broader than the path traversal alone suggests.

Vulnerability Chaining Context

The chaining concern is not theoretical. A June 8, 2026 BleepingComputer report documented that three previously patched UniFi OS vulnerabilities from Bulletin 064 (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) could be chained to achieve unauthenticated remote code execution with root privileges on the UniFi OS Server. That chain combined an access control flaw, a path traversal flaw, and an input validation flaw.

Bulletin 065 presents a structurally similar set of vulnerability classes: path traversal (CVE-2026-47368), command injection, and privilege escalation via improper input validation. The CSA Singapore advisory (AL-2026-059) specifically warns that chaining vulnerabilities in the same bulletin could lead to "complete compromise of the target device."

CVSS Scoring Discrepancy

NVD assigned a score of 8.6 (High), while Ubiquiti rates the vulnerability at CVSS 9.9 (Critical). The full CVSS v3.1 vector string was not yet populated in the NVD entry at the time of publication. The discrepancy likely reflects differences in how the network adjacent attack vector is weighted: Ubiquiti may have scored exploitability higher given the low complexity of path traversal attacks and the chaining potential, while NVD may have applied a more conservative assessment of the network adjacency requirement.

Bulletin 065 Vulnerability Summary

CVEVulnerability TypeAffected Product
CVE-2026-47367(Disclosed in Bulletin 065)UniFi OS
CVE-2026-47368Path TraversalUniFi OS
CVE-2026-47369(Disclosed in Bulletin 065)UniFi OS
CVE-2026-47370(Disclosed in Bulletin 065)UniFi OS / UID Enterprise Agent
CVE-2026-48610(Disclosed in Bulletin 065)UID Enterprise Agent

The discovery of CVE-2026-47368 is credited to researcher Brandon Rossi, reported through the HackerOne bug bounty program, which served as the CNA for this CVE.

Patch Information

Ubiquiti addressed CVE-2026-47368 through firmware updates released on June 10, 2026, documented in Security Advisory Bulletin 065. Because UniFi OS is closed source firmware, no source level diff is publicly available; the fix is delivered exclusively through official firmware images.

The fixed firmware versions vary by device family:

Device FamilyVulnerable VersionsFixed Version
UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UCK, UCKP, UCK-Enterprise, UNVR, UNVR-Pro, UNVR-Instant, ENVR, ENVR-Core, UNVR-G2, UNVR-G2-Pro, UCG-Ultra, UCG-Max, UCG-Industrial, UCG-Fiber≤ 5.1.125.1.15
UniFi OS Server≤ 5.0.85.1.15
UDM-Beast≤ 5.1.115.1.15
UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8≤ 5.1.105.1.16
Express≤ 4.0.144.0.15

Note the version split across firmware branches: while most device families are patched at 5.1.15, the UNAS (Network Attached Storage) line requires 5.1.16, and the Express line has its own branch at 4.0.15. This is because the NAS and Express products run different firmware branches from the main UniFi OS gateway/recorder family, so the path traversal fix landed at slightly different version numbers per branch.

UniFi OS console users (Dream Machine, Dream Wall, Dream Router, Cloud Key, Cloud Gateway) should apply the firmware update through their device management interface. Self hosted UniFi OS Server administrators should download version 5.1.15 from the Ubiquiti downloads page.

Important: Patching CVE-2026-47368 in isolation is insufficient. All five Bulletin 065 CVEs must be addressed together, as the advisory confirms that this path traversal flaw can be chained with the other disclosed vulnerabilities to escalate impact.

Compensating Controls

For environments where immediate patching is not feasible:

  • Place UniFi OS management interfaces on isolated VLANs or management networks not accessible from general user segments
  • Do not expose the UniFi OS management interface to the internet under any circumstances
  • Monitor for unauthorized Super Admin invites, particularly accounts named unifi_support, which has been identified as a hallmark of a known threat actor targeting UniFi devices
  • Enable email and push notifications for security events and admin actions within UniFi OS settings

Affected Systems and Versions

The following UniFi OS device families and version ranges are confirmed vulnerable:

UniFi OS Consoles and Gateways (versions ≤ 5.1.12): UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UCK, UCKP, UCK-Enterprise, UNVR, UNVR-Pro, UNVR-Instant, ENVR, ENVR-Core, UNVR-G2, UNVR-G2-Pro, UCG-Ultra, UCG-Max, UCG-Industrial, UCG-Fiber.

UniFi OS Server (versions ≤ 5.0.8): The self hosted Linux server variant.

UDM-Beast (versions ≤ 5.1.11).

UNAS Network Attached Storage (versions ≤ 5.1.10): UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8.

Express (versions ≤ 4.0.14).

As noted by runZero's analysis, the path traversal flaw exists within the application layer, making "any host running a vulnerable version of the Network Application a potential target." The broad deployment of UniFi devices across SMB, prosumer, and some enterprise environments means the potential attack surface is substantial.

Vendor Security History

Ubiquiti's 2026 security track record reveals a concerning pattern of critical severity vulnerabilities disclosed in rapid succession:

DateBulletinCVEsMax CVSSVulnerability TypesPatch Version
2026-03-19StandaloneCVE-2026-22557, CVE-2026-2255810.0Path Traversal, NoSQL InjectionUniFi Network Application 8.6.9
2026-05-22Bulletin 064CVE-2026-34908, 34909, 34910, 3491110.0Access Control, Path Traversal, Input ValidationUniFi OS 5.1.12
2026-06-11Bulletin 065CVE-2026-47367, 47368, 47369, 47370, 486109.9 (Ubiquiti) / 8.6 (NVD)Path Traversal, Command Injection, Input ValidationUniFi OS 5.1.15

Three major vulnerability disclosures in under three months, each containing maximum or near maximum severity CVEs, with path traversal (CWE-22) appearing in every single bulletin. This pattern suggests a systemic weakness in input validation and path handling within the UniFi OS codebase rather than isolated coding errors.

The CSA Singapore agency has issued multiple alerts about Ubiquiti vulnerabilities (AL-2026-025 and AL-2026-059), reflecting governmental concern about the vendor's security posture. On the positive side, Ubiquiti does maintain a HackerOne bug bounty program that serves as a channel for external researchers, and the coordinated disclosure process for CVE-2026-47368 appears to have functioned as intended.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization