Ubiquiti UniFi OS devices are widely used to manage networking, security, and infrastructure services from a centralized interface. Because these systems often sit close to the heart of an organization's network, vulnerabilities in UniFi OS deserve serious attention.
In May 2026, three critical vulnerabilities were published affecting UniFi OS devices: CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. All three were assigned a CVSS 3.1 score of 10.0 Critical by the CNA, HackerOne, using the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. NVD has listed the records but has not yet provided its own enrichment assessment.
The vulnerabilities at a glance
| CVE | Weakness | Impact summary | Severity |
|---|---|---|---|
| CVE-2026-34908 | CWE-284: Improper Access Control | Unauthorized system changes | Critical, CVSS 10.0 |
| CVE-2026-34909 | CWE-22: Path Traversal | Access to underlying system files, potentially leading to account access | Critical, CVSS 10.0 |
| CVE-2026-34910 | CWE-20: Improper Input Validation | Command injection | Critical, CVSS 10.0 |
These issues were published by NVD on May 21, 2026, with the records last modified on May 22, 2026, according to the NVD entries provided by HackerOne.
Why these CVEs matter
The most important detail is the shared CVSS vector:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HIn plain English, this means an attacker may be able to exploit the vulnerabilities:
- over the network,
- with low attack complexity,
- without prior privileges,
- without user interaction,
- with potential impact beyond the vulnerable component,
- and with high impact to confidentiality, integrity, and availability.
That combination is why the CNA score is the maximum possible severity: 10.0 Critical.
It is worth noting that the NVD pages currently say the records are "Not Scheduled" for enrichment, meaning NVD has not yet added its own detailed analysis, product matching, or independent CVSS scoring. The CNA-provided HackerOne score is currently the main severity signal available in the NVD records.
CVE-2026-34908: Improper Access Control
CVE-2026-34908 is described as an Improper Access Control vulnerability in UniFi OS devices. An attacker with network access could exploit it to make unauthorized changes to the system.
Access control flaws happen when a system fails to properly enforce who is allowed to do what. In a management platform like UniFi OS, that can be especially dangerous because administrative settings may affect routing, firewall behavior, device management, VPN configuration, users, and other sensitive controls.
A practical risk scenario could include an attacker reaching a vulnerable UniFi OS interface from the same network and modifying settings they should not be allowed to change. Even if the public description is brief, the severity rating suggests the consequences could be broad.
CVE-2026-34909: Path Traversal
CVE-2026-34909 is a Path Traversal vulnerability. NVD describes it as allowing a malicious actor with network access to access files on the underlying system, which could then be manipulated to access an underlying account.
Path traversal vulnerabilities occur when an application does not properly restrict file paths. Attackers may try to move outside an intended directory and read or interact with files that should be off limits.
In the context of UniFi OS, this matters because access to local files could expose sensitive data such as configuration files, tokens, account-related data, or other internal system material. The description also suggests that file access could be part of a chain leading to account compromise.
CVE-2026-34910: Improper Input Validation leading to Command Injection
CVE-2026-34910 is an Improper Input Validation vulnerability that could allow Command Injection on UniFi OS devices.
Command injection is one of the more serious vulnerability classes. It usually means attacker-controlled input can influence commands executed by the system. If successful, this can let an attacker run unauthorized commands on the affected device.
For network appliances and management systems, command injection can be especially severe because the device may have privileged access to network configuration, credentials, logs, and connected services.
What administrators should do
The vendor advisory referenced by the CVE records is Ubiquiti Security Advisory Bulletin 064. Public release-tracking sources also show UniFi OS updates referencing fixes for the security issues in Bulletin 064.
Administrators should take these steps:
Update UniFi OS immediately. Apply the latest UniFi OS firmware or software version available for your device model.
Check whether management interfaces are exposed. UniFi OS management portals should not be directly reachable from the public internet unless absolutely necessary. Restrict access with firewall rules, VPN, trusted IP ranges, or dedicated management networks.
Review account activity and configuration changes. Look for unexpected admin users, SSH changes, firewall rule changes, VPN changes, new API keys, unfamiliar remote access settings, or suspicious device adoption activity.
Rotate sensitive credentials if exposure is suspected. If you believe the device may have been exposed or compromised, rotate UniFi admin credentials, local device credentials, VPN secrets, API tokens, and related passwords.
Segment management networks. Treat UniFi OS as a sensitive administrative asset. Only trusted administrator workstations should be able to reach its management services.
Monitor for follow-up guidance. Because NVD enrichment is not yet complete, affected-version mapping and additional technical details may evolve. Continue tracking the Ubiquiti advisory and NVD records.
Key takeaway
These three vulnerabilities are serious because they affect a network management platform and have CNA-assigned CVSS 10.0 Critical scores. CVE-2026-34908 concerns unauthorized system changes, CVE-2026-34909 concerns path traversal and file access, and CVE-2026-34910 concerns command injection.
For defenders, the response should be simple: patch UniFi OS, restrict management access, audit recent changes, and monitor for new vendor guidance.
Sources
- NVD, CVE-2026-34910 — https://nvd.nist.gov/vuln/detail/CVE-2026-34910
- NVD, CVE-2026-34909 — https://nvd.nist.gov/vuln/detail/CVE-2026-34909
- NVD, CVE-2026-34908 — https://nvd.nist.gov/vuln/detail/CVE-2026-34908