The Digital Security Authority (DSA) wants to bring to your attention regarding a vulnerability affecting Ubiquiti UniFi OS Devices.
Executive Summary:
Ubiquiti has released Security Advisory Bulletin addressing five critical vulnerabilities affecting multiple UniFi OS devices and UniFi OS Server deployments. The vulnerabilities include Improper Access Control, Command Injection, and Path Traversal flaws that could allow remote attackers to gain unauthorized access, execute commands, manipulate system configurations, and access sensitive files.
Several of the disclosed vulnerabilities carry a maximum CVSS score of 10.0 Critical, indicating severe risk to affected environments. Successful exploitation could lead to full system compromise, unauthorized administrative actions, credential theft, and exposure of sensitive information.
Organizations using affected UniFi products should prioritize immediate patching and review device exposure to untrusted networks.
Vulnerability Details
1. Command Injection Vulnerability
CVE Information:
• CVE ID: CVE-2026-33000
• CVSS Score: 9.1 (Critical)
• Fixed Version:
• UniFi OS Server Version 5.0.8 or later
2. Improper Access Control Vulnerability
CVE Information:
• CVE ID: CVE-2026-34908
• CVSS Score: 10.0 (Critical)
• Fixed Versions:
• Most affected devices: Version 5.1.12 or later
• UniFi OS Server: Version 5.0.8 or later
• UNAS devices: Version 5.1.10 or later
• UDM-Beast: Version 5.1.11 or later
3. Path Traversal Vulnerability
CVE Information:
• CVE ID: CVE-2026-34909
• CVSS Score: 10.0 (Critical)
• Fixed Versions:
• Most affected devices: Version 5.1.12 or later
• Express: Version 4.0.14 or later
• UniFi OS Server: Version 5.0.8 or later
4. Remote Command Injection Vulnerability
CVE Information:
• CVE ID: CVE-2026-34910
• CVSS Score: 10.0 (Critical)
• Fixed Versions:
• Most affected devices: Version 5.1.12 or later
• UniFi OS Server: Version 5.0.8 or later
5. Path Traversal Information Disclosure Vulnerability
CVE Information:
• CVE ID: CVE-2026-34911
• CVSS Score: 7.7 (High)
• Fixed Versions:
• Most affected devices: Version 5.1.12 or later
• UniFi OS Server: Version 5.0.8 or later
Recommendations
The Digital Security Authority (DSA) recommends applying the mitigation or workaround provided by Ubiquiti.
• Immediately update all affected UniFi OS devices to the latest patched versions.
• Prioritize internet-exposed UniFi management interfaces and controllers.
• Disable external administrative access where not required.
• Review firewall rules restricting access to UniFi management services.
Please ensure to distribute this information among your subsidiaries and partners and provide us with any pertinent information or findings you may have (such as Indicators of Compromise, Tactics, Techniques, and Procedures, etc.).
The Digital Security Authority (DSA) extends its appreciation for the continued collaboration.
References
Disclaimer
The information presented in this report is based on available data up to the 25th of May 2026.