Introduction
Ubiquiti's UniFi OS just received its third major security bulletin in under three months, and this one bundles five CVEs together, including a path traversal flaw that lets a network adjacent attacker read arbitrary files from affected devices. CVE-2026-47368 scores 8.6 on NVD (9.9 per Ubiquiti's own assessment) and sits alongside command injection and privilege escalation vulnerabilities that, when chained, could lead to complete device compromise.
Technical Information
Root Cause: CWE-22 Path Traversal
CVE-2026-47368 falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The vulnerability resides in the UniFi OS application layer, where insufficient input validation on file path parameters allows an attacker to inject directory traversal sequences (such as ../) into requests. This enables the attacker to escape the intended directory boundary and read arbitrary files on the underlying filesystem of the UniFi OS device.
The official NVD description states: "A malicious actor with access to the network could exploit a Path Traversal vulnerability found in certain devices running UniFi OS to obtain data from such UniFi OS devices or instances."
Because UniFi OS is closed source firmware, no source level diff or vulnerable code snippet is publicly available. The fix is delivered exclusively through official firmware images.
Attack Vector and Prerequisites
The attack requires network adjacency: the attacker must be on the same local network segment as the UniFi OS device or have a route to its management interface. This is a meaningful constraint compared to the Bulletin 064 vulnerabilities, which were WAN exploitable. Community discussion on Reddit confirms that Bulletin 065 vulnerabilities require local network access and have "no remote execution."
However, the advisory explicitly notes a critical detail: this CVE can be chained with other vulnerabilities to eliminate the requirement for low privileged access. This means that in combination with the four other CVEs in Bulletin 065 (CVE-2026-47367, CVE-2026-47369, CVE-2026-47370, CVE-2026-48610), the effective attack surface may be broader than the path traversal alone suggests.
Vulnerability Chaining Context
The chaining concern is not theoretical. A June 8, 2026 BleepingComputer report documented that three previously patched UniFi OS vulnerabilities from Bulletin 064 (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) could be chained to achieve unauthenticated remote code execution with root privileges on the UniFi OS Server. That chain combined an access control flaw, a path traversal flaw, and an input validation flaw.
Bulletin 065 presents a structurally similar set of vulnerability classes: path traversal (CVE-2026-47368), command injection, and privilege escalation via improper input validation. The CSA Singapore advisory (AL-2026-059) specifically warns that chaining vulnerabilities in the same bulletin could lead to "complete compromise of the target device."
CVSS Scoring Discrepancy
NVD assigned a score of 8.6 (High), while Ubiquiti rates the vulnerability at CVSS 9.9 (Critical). The full CVSS v3.1 vector string was not yet populated in the NVD entry at the time of publication. The discrepancy likely reflects differences in how the network adjacent attack vector is weighted: Ubiquiti may have scored exploitability higher given the low complexity of path traversal attacks and the chaining potential, while NVD may have applied a more conservative assessment of the network adjacency requirement.
Bulletin 065 Vulnerability Summary
| CVE | Vulnerability Type | Affected Product |
|---|---|---|
| CVE-2026-47367 | (Disclosed in Bulletin 065) | UniFi OS |
| CVE-2026-47368 | Path Traversal | UniFi OS |
| CVE-2026-47369 | (Disclosed in Bulletin 065) | UniFi OS |
| CVE-2026-47370 | (Disclosed in Bulletin 065) | UniFi OS / UID Enterprise Agent |
| CVE-2026-48610 | (Disclosed in Bulletin 065) | UID Enterprise Agent |
The discovery of CVE-2026-47368 is credited to researcher Brandon Rossi, reported through the HackerOne bug bounty program, which served as the CNA for this CVE.
Patch Information
Ubiquiti addressed CVE-2026-47368 through firmware updates released on June 10, 2026, documented in Security Advisory Bulletin 065. Because UniFi OS is closed source firmware, no source level diff is publicly available; the fix is delivered exclusively through official firmware images.
The fixed firmware versions vary by device family:
| Device Family | Vulnerable Versions | Fixed Version |
|---|---|---|
| UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UCK, UCKP, UCK-Enterprise, UNVR, UNVR-Pro, UNVR-Instant, ENVR, ENVR-Core, UNVR-G2, UNVR-G2-Pro, UCG-Ultra, UCG-Max, UCG-Industrial, UCG-Fiber | ≤ 5.1.12 | 5.1.15 |
| UniFi OS Server | ≤ 5.0.8 | 5.1.15 |
| UDM-Beast | ≤ 5.1.11 | 5.1.15 |
| UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8 | ≤ 5.1.10 | 5.1.16 |
| Express | ≤ 4.0.14 | 4.0.15 |
Note the version split across firmware branches: while most device families are patched at 5.1.15, the UNAS (Network Attached Storage) line requires 5.1.16, and the Express line has its own branch at 4.0.15. This is because the NAS and Express products run different firmware branches from the main UniFi OS gateway/recorder family, so the path traversal fix landed at slightly different version numbers per branch.
UniFi OS console users (Dream Machine, Dream Wall, Dream Router, Cloud Key, Cloud Gateway) should apply the firmware update through their device management interface. Self hosted UniFi OS Server administrators should download version 5.1.15 from the Ubiquiti downloads page.
Important: Patching CVE-2026-47368 in isolation is insufficient. All five Bulletin 065 CVEs must be addressed together, as the advisory confirms that this path traversal flaw can be chained with the other disclosed vulnerabilities to escalate impact.
Compensating Controls
For environments where immediate patching is not feasible:
- Place UniFi OS management interfaces on isolated VLANs or management networks not accessible from general user segments
- Do not expose the UniFi OS management interface to the internet under any circumstances
- Monitor for unauthorized Super Admin invites, particularly accounts named
unifi_support, which has been identified as a hallmark of a known threat actor targeting UniFi devices - Enable email and push notifications for security events and admin actions within UniFi OS settings
Affected Systems and Versions
The following UniFi OS device families and version ranges are confirmed vulnerable:
UniFi OS Consoles and Gateways (versions ≤ 5.1.12): UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UCK, UCKP, UCK-Enterprise, UNVR, UNVR-Pro, UNVR-Instant, ENVR, ENVR-Core, UNVR-G2, UNVR-G2-Pro, UCG-Ultra, UCG-Max, UCG-Industrial, UCG-Fiber.
UniFi OS Server (versions ≤ 5.0.8): The self hosted Linux server variant.
UDM-Beast (versions ≤ 5.1.11).
UNAS Network Attached Storage (versions ≤ 5.1.10): UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8.
Express (versions ≤ 4.0.14).
As noted by runZero's analysis, the path traversal flaw exists within the application layer, making "any host running a vulnerable version of the Network Application a potential target." The broad deployment of UniFi devices across SMB, prosumer, and some enterprise environments means the potential attack surface is substantial.
Vendor Security History
Ubiquiti's 2026 security track record reveals a concerning pattern of critical severity vulnerabilities disclosed in rapid succession:
| Date | Bulletin | CVEs | Max CVSS | Vulnerability Types | Patch Version |
|---|---|---|---|---|---|
| 2026-03-19 | Standalone | CVE-2026-22557, CVE-2026-22558 | 10.0 | Path Traversal, NoSQL Injection | UniFi Network Application 8.6.9 |
| 2026-05-22 | Bulletin 064 | CVE-2026-34908, 34909, 34910, 34911 | 10.0 | Access Control, Path Traversal, Input Validation | UniFi OS 5.1.12 |
| 2026-06-11 | Bulletin 065 | CVE-2026-47367, 47368, 47369, 47370, 48610 | 9.9 (Ubiquiti) / 8.6 (NVD) | Path Traversal, Command Injection, Input Validation | UniFi OS 5.1.15 |
Three major vulnerability disclosures in under three months, each containing maximum or near maximum severity CVEs, with path traversal (CWE-22) appearing in every single bulletin. This pattern suggests a systemic weakness in input validation and path handling within the UniFi OS codebase rather than isolated coding errors.
The CSA Singapore agency has issued multiple alerts about Ubiquiti vulnerabilities (AL-2026-025 and AL-2026-059), reflecting governmental concern about the vendor's security posture. On the positive side, Ubiquiti does maintain a HackerOne bug bounty program that serves as a channel for external researchers, and the coordinated disclosure process for CVE-2026-47368 appears to have functioned as intended.
References
- CVE-2026-47368 on NVD
- CVE-2026-47368 on CVE.org
- Ubiquiti Security Advisory Bulletin 065
- Security Advisory Bulletin 065 Community Discussion
- UniFi OS Vulnerabilities CVSS 9.9 (SecurityOnline)
- CSA Singapore Alert AL-2026-059: Multiple Critical Vulnerabilities in Ubiquiti UniFi OS
- BleepingComputer: Critical UniFi OS Bug Lets Hackers Gain Root Without Authentication
- BleepingComputer: Ubiquiti Patches Three Max Severity UniFi OS Vulnerabilities
- Field Effect: Maximum Severity UniFi OS Vulnerabilities
- runZero: UniFi Network Application Vulnerabilities
- CyCognito: Ubiquiti UniFi Network Application Path Traversal
- Reddit: PSA Security Advisory Bulletin 065
- UniFi OS Dream Machines 5.1.15 Release Notes
- UniFi OS Server 5.1.15 Release Notes
- Ubiquiti Software Downloads
- Ubiquiti Security Advisory Bulletin 064
- Truesec: Multiple Vulnerabilities in Ubiquiti UniFi Network Application



