cbcvebase.
CVE-2026-34908
published 2026-05-22

CVE-2026-34908: A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to…

PriorityP192critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-26
Exploited in the wild
EPSS
2.45%
82.4th percentile
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.

Affected

62 ranges· showing 25
VendorProductVersion rangeFixed in
ubiquiti_incefg< 5.1.125.1.12
ubiquiti_incenvr< 5.1.125.1.12
ubiquiti_incenvr-core< 5.1.125.1.12
ubiquiti_incexpress_7< 5.1.125.1.12
ubiquiti_incucg-fiber< 5.1.125.1.12
ubiquiti_incucg-industrial< 5.1.125.1.12
ubiquiti_incucg-max< 5.1.125.1.12
ubiquiti_incucg-ultra< 5.1.125.1.12
ubiquiti_incuck< 5.1.125.1.12
ubiquiti_incuck-enterprise< 5.1.125.1.12
ubiquiti_incuckp< 5.1.125.1.12
ubiquiti_incudm< 5.1.125.1.12
ubiquiti_incudm-beast< 5.1.115.1.11
ubiquiti_incudm-pro< 5.1.125.1.12
ubiquiti_incudm-pro-max< 5.1.125.1.12
ubiquiti_incudm-se< 5.1.125.1.12
ubiquiti_incudr< 5.1.125.1.12
ubiquiti_incudr-5g< 5.1.125.1.12
ubiquiti_incudr7< 5.1.125.1.12
ubiquiti_incudw< 5.1.125.1.12
ubiquiti_incunas-2< 5.1.105.1.10
ubiquiti_incunas-4< 5.1.105.1.10
ubiquiti_incunas-pro< 5.1.105.1.10
ubiquiti_incunas-pro-4< 5.1.105.1.10
ubiquiti_incunas-pro-8< 5.1.105.1.10

Detection & IOCsextracted from sources · hover to see the quote

  • The authentication bypass exploits a mismatch between how UniFi OS validates and routes requests: the authentication component evaluates the raw request URI, while Nginx routes based on a normalized URI. Craft detection for requests that target authentication-exempt endpoints in raw form but resolve to protected internal routes after normalization.
  • Privilege escalation to root is trivial because the affected service account has passwordless sudo access to several system binaries. Monitor for unexpected sudo commands originating from the ucs-update service account.
  • Bishop Fox released a free detection script on GitHub that safely sends a specially crafted request to the vulnerable code path without executing dangerous commands, classifying the target as 'vulnerable,' 'patched,' 'unaffected,' or 'inconclusive.' Use this to identify unpatched instances.
  • Successful compromise of UniFi OS devices can enable lateral movement across the broader network, including physical-access doors, surveillance cameras, and identity systems governed by the console. Treat any UniFi OS compromise as a full network-level incident.
  • ·CVE-2026-34908 is part of a three-CVE chain (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910). All three must be patched together; patching only CVE-2026-34908 in isolation does not eliminate the full unauthenticated RCE risk.
  • ·The affected scope is UniFi OS Server versions 5.0.6 and earlier. Versions 5.0.8 and later are confirmed unaffected by the full exploit chain.
  • ·The detection script from Bishop Fox does NOT detect active attacks, past exploitation, or the presence of persistence mechanisms or backdoors — only whether the instance is currently vulnerable.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.