Introduction
A low privileged user on the same network as a Ubiquiti UniFi OS device can exploit an input validation flaw to escalate their privileges on the appliance, and a companion path traversal vulnerability can be chained to remove even that low privilege requirement entirely. CVE-2026-47369, carrying a CVSS 9.9 score, is one of three critical vulnerabilities disclosed in Ubiquiti's Security Advisory Bulletin 065, continuing a pattern of quarterly critical advisories against the UniFi OS platform that began in March 2026.
Ubiquiti's networking equipment is widely deployed across small and mid sized businesses, ISPs, managed service providers, and a large enthusiast community, with the company generating $2.574B in annual revenue in 2025. The broad install base and the appliance's typical placement at the network edge make any critical UniFi OS vulnerability a high priority patching event.
Technical Information
Root Cause: CWE-20 Improper Input Validation
CVE-2026-47369 is classified under CWE-20 (Improper Input Validation). The NVD description states: "A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to escalate privileges within such UniFi OS devices or instances."
The full CVSS 3.1 vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:
| Parameter | Value | Implication |
|---|---|---|
| Attack Vector | Network | Exploitable over the network |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | Low | Any authenticated low level user suffices |
| User Interaction | None | No victim action needed |
| Scope | Changed | Impact extends beyond the vulnerable component |
| Confidentiality | High | Full read access to the system |
| Integrity | High | Full write access to the system |
| Availability | High | Complete denial of service possible |
The "Scope: Changed" designation is particularly significant. It indicates that successful exploitation allows the attacker to affect resources beyond the security scope of the vulnerable component itself, consistent with a privilege escalation that grants control over the entire UniFi OS device or instance.
What We Know About the Attack Flow
The specific input validation flaw mechanism, including which input field, API endpoint, or protocol is vulnerable, has not been publicly disclosed by Ubiquiti or the discovering researcher. What we can establish from the advisory and surrounding context:
-
Entry point: An attacker needs network access to the UniFi OS device and a low privilege authenticated session. In many UniFi deployments, this could be any user with a basic account on the management interface.
-
Exploitation: The attacker submits crafted input that the UniFi OS fails to properly validate, triggering a privilege escalation. The low attack complexity and absence of user interaction requirements indicate this is a straightforward exploitation path.
-
Outcome: The attacker gains elevated privileges on the UniFi OS device. The exact privilege level attainable (root, admin, or an intermediate role) is not specified in the advisory, but the CVSS impact scores of High across all three categories suggest full system compromise is achievable.
Chaining Context: The Real Threat Multiplier
The advisory for Bulletin 065 contains a detail that significantly changes the risk calculus. CVE-2026-47368, a path traversal vulnerability also patched in this bulletin, carries an explicit note that it "can be chained with other vulnerabilities to eliminate the requirement for low-privileged access." This means the combined chain of CVE-2026-47368 plus CVE-2026-47369 could be exploitable by a completely unauthenticated network attacker, removing the one meaningful barrier to exploitation.
Bulletin 065 also includes CVE-2026-47367, a command injection flaw in the UID Enterprise Agent scoring CVSS 9.9. The advisory distinguishes CVE-2026-47369 (privilege escalation) from its sibling CVE-2026-47370, which shares the same improper input validation root cause but enables command injection instead. Together, these four CVEs present a rich attack surface for chaining.
This chaining concern is not theoretical. BleepingComputer previously reported that the three vulnerabilities from Bulletin 064 (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, all CVSS 10.0) were demonstrated as chainable to achieve unauthenticated remote code execution with root privileges on UniFi OS. The same pattern of multi-CVE chaining is plausible for Bulletin 065 flaws, though it has not been publicly demonstrated as of the publication date.
Patch Information
Ubiquiti addressed CVE-2026-47369 through a firmware level patch disclosed in Security Advisory Bulletin 065, published on June 10, 2026. Because UniFi OS is proprietary closed source firmware, there are no public source code diffs or commit level changes to inspect. The fix is delivered exclusively through official firmware updates.
The fixed versions vary by device family:
| Device Family | Examples | Fixed Version |
|---|---|---|
| Gateways and Consoles | UDM, UDM Pro, UDM SE, UDM Pro Max, UDM Beast, EFG, UDW, UDR, UDR7, UDR 5G, Express 7, UCG Ultra, UCG Max, UCG Industrial, UCG Fiber | UniFi OS 5.1.15 or later |
| Cloud Keys | UCK, UCKP, UCK Enterprise | UniFi OS 5.1.15 or later |
| NVR Devices | UNVR, UNVR Pro, UNVR Instant, ENVR, ENVR Core, UNVR G2, UNVR G2 Pro | UniFi OS 5.1.15 or later |
| UniFi OS Server | Server installations | Version 5.1.15 or later |
| NAS Devices | UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8 | Version 5.1.16 or later |
| Express Appliances | Express line | Version 4.0.15 or later |
Note that the UNAS line requires version 5.1.16 (not 5.1.15), which bundles UniFi Drive 4.2.2. All other product lines received 5.1.15 builds simultaneously.
Critically, applying this single firmware update addresses the full chaining risk: both CVE-2026-47369 and the companion CVE-2026-47368 (the path traversal that eliminates the low privilege requirement) are resolved by the same update. Organizations should not treat these as separate patching events.
The Canadian Centre for Cyber Security published advisory AV26-589 on June 11, 2026, confirming the availability of these vendor patches.
The vulnerability was credited to security researcher Brandon Rossi (also known as @0xConda), who reported it through Ubiquiti's HackerOne coordinated vulnerability disclosure program.
Affected Systems and Versions
Based on the advisory, the following device families running UniFi OS versions prior to the patched releases are affected:
Gateway and Console Devices (vulnerable below UniFi OS 5.1.15): UDM, UDM Pro, UDM SE, UDM Pro Max, UDM Beast, EFG, UDW, UDR, UDR7, UDR 5G, Express 7, UCG Ultra, UCG Max, UCG Industrial, UCG Fiber
Cloud Key Devices (vulnerable below UniFi OS 5.1.15): UCK, UCKP, UCK Enterprise
NVR Devices (vulnerable below UniFi OS 5.1.15): UNVR, UNVR Pro, UNVR Instant, ENVR, ENVR Core, UNVR G2, UNVR G2 Pro
UniFi OS Server (vulnerable at version 5.0.8 and earlier)
NAS Devices (vulnerable below version 5.1.16): UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8
Express Appliances (vulnerable below version 4.0.15)
The UID Enterprise Agent is also affected by a separate vulnerability in the same bulletin (CVE-2026-47367) and requires upgrade to version 1.61.4 or later.
Vendor Security History
Ubiquiti's security track record in 2026 reveals a concentrated pattern of critical disclosures:
| Date | Event | Severity |
|---|---|---|
| January 2021 | Major data breach via third party cloud provider; whistleblower accused Ubiquiti of downplaying the scope | Critical |
| March 2026 | Security Advisory Bulletin 062: Multiple vulnerabilities in UniFi Network Server (self hosted) | High |
| March 2026 | TrueSec disclosed CVE-2026-22557 (path traversal, CVSS 10.0) and CVE-2026-22558 (NoSQL injection privilege escalation) in UniFi Network Application | Critical |
| May 2026 | Security Advisory Bulletin 064: Three CVSS 10.0 UniFi OS flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) chainable for unauthenticated root RCE | Critical |
| June 2026 | Security Advisory Bulletin 065: Three CVSS 9.9 flaws (CVE-2026-47367, CVE-2026-47369, CVE-2026-47370) in UniFi OS and UID Enterprise Agent | Critical |
Three critical bulletins in a single quarter, with recurring themes of improper input validation and inadequate access control, suggests systemic weaknesses in the UniFi OS platform layer rather than isolated bugs. TrueSec has also noted that Ubiquiti devices have been increasingly targeted by state sponsored groups for botnet operations against U.S. and allied networks, adding operational urgency to the patching cadence.
Organizations running Ubiquiti infrastructure should establish a standing rapid patching workflow for UniFi OS devices. Based on the 2026 cadence, critical advisories are arriving approximately monthly.
References
- NVD: CVE-2026-47369
- Ubiquiti Security Advisory Bulletin 065
- Security Advisory Bulletin 065 Community Discussion
- SecurityOnline: Critical 9.9 CVSS Ubiquiti UniFi OS Vulnerabilities Exposed
- Ubiquiti Firmware Release Tracker
- Canadian Centre for Cyber Security Advisory AV26-589
- BleepingComputer: Critical UniFi OS Bug Lets Hackers Gain Root Without Authentication
- TrueSec: Multiple Vulnerabilities in Ubiquiti UniFi Network Application
- Reddit PSA: Security Advisory Bulletin 065
- Proofpoint: 2026 Vulnerability Exploitation in the Wild
- CISA Known Exploited Vulnerabilities Catalog
- Ubiquiti Security Advisory Bulletin 064
- Ubiquiti Security Advisory Bulletin 062



