ubiquiticve-2026-50746uni-finetwork-security

Ubiquiti UniFi Connect suffers critical CVE-2026-50746 command injection flaw

Ubiquiti patched a CVSS 10.0 command injection (CVE-2026-50746) in UniFi Connect and disclosed 7 other critical flaws across its ecosystem.

Diego Diaz
5 min

What Happened

Ubiquiti released emergency updates for its UniFi ecosystem, fixing a maximum‑severity command injection vulnerability (CVE-2026-50746) in the UniFi Connect application. The flaw allows an unauthenticated attacker on the same network to execute arbitrary commands on the host device, earning a CVSS score of 10.0. The Hacker News and BleepingComputer confirmed the issue and the immediate patch release.

Technical Analysis

The vulnerability resides in an improper access‑control check within the UniFi Connect application (versions ≤ 3.4.16). When an attacker can reach the service over the network, they can craft a request that bypasses authentication and triggers a command‑injection routine, executing shell commands on the underlying host. The CVE is listed as CVE‑2026‑50746 with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The advisory recommends upgrading to UniFi Connect 3.4.20 or later, which contains the fix. SOCRadar provides the detailed CVSS vector and remediation steps.

Alongside CVE‑2026‑50746, Ubiquiti disclosed six additional high‑severity flaws: CVE‑2026‑50747 (SQL injection in UniFi Talk, CVSS 9.9), CVE‑2026‑50748 (input validation in UniFi Access, CVSS 9.9), CVE‑2026‑54400 (access‑control in UniFi Access, CVSS 9.1), CVE‑2026‑55115 (SSRF in UniFi Protect, CVSS 9.9), CVE‑2026‑54402 (input validation in UniFi OS, CVSS 9.9) and CVE‑2026‑55116 (access‑control in UniFi OS, CVSS 9.0). All were addressed in the same patch cycle. The Hacker News lists these alongside the primary CVE.

Who’s Affected

The bug affects any deployment of UniFi Connect version 3.4.16 or earlier, which includes many on‑premise installations of UniFi controllers, UDM/UDM‑Pro appliances, and cloud‑managed UniFi sites. According to Censys, over 100 000 UniFi OS instances are publicly reachable, with roughly half located in the United States. While there is no public evidence of wild exploitation yet, the severity and network‑local attack surface make immediate remediation critical for enterprises and MSPs that manage large numbers of UniFi devices.

How to Protect Yourself

  • Upgrade UniFi Connect to version 3.4.20 or later immediately. The update is available through the UniFi Network controller UI or via the Ubiquiti firmware repository.
  • Apply the same patch level to all other UniFi components (Talk 5.2.2, Access 4.2.29, Protect 7.1.83, OS 5.1.19) to close the related CVEs.
  • Restrict network access to UniFi management interfaces. Use firewall rules or VLAN segmentation to limit exposure to trusted subnets only.
  • Enable two‑factor authentication on UniFi accounts and enforce strong passwords to mitigate credential‑theft attempts.
  • Conduct a rapid vulnerability scan of your environment to confirm no lingering instances of the vulnerable versions remain.

The Sable Angle

At Sable we routinely audit network‑management stacks for exactly these kinds of supply‑chain flaws. Our recent research on IoT‑focused attack surfaces highlighted how a single compromised controller can give attackers full visibility into a corporate LAN. By integrating continuous monitoring of UniFi endpoints into our automated security platform, we can detect outdated firmware before it becomes a leverage point. Learn more about our approach in the OpenClaw research series and see how our managed detection service can keep your infrastructure patched in real time.