UniFi OS Server: Critical security vulnerabilities enable attacks

Several security vulnerabilities have been discovered in UniFi OS Server, the central management platform and operating system for UniFi devices, some with the highest risk rating. Updates are available to fix these vulnerabilities. Anyone using affected UniFi devices should not delay installing the updates.

UniFi warns in a release announcement about the security vulnerabilities. Attackers with network access can exploit insufficient access control on UniFi OS devices, for example, and make unauthorized changes (CVE-2026-34908, CVSS 10.0, risk “critical”). A path traversal vulnerability also allows malicious actors to access and manipulate files from the underlying operating system, thereby gaining access to the system account (CVE-2026-34909, CVSS 10.0, risk “critical”). Attackers can also exploit insufficient input validation to inject commands (CVE-2026-34910, CVSS 10.0, risk “critical”).

UniFi OS Server: Further vulnerabilities

Attackers with network access and elevated privileges can also exploit another insufficient input filtering to inject commands (CVE-2026-33000, CVSS 9.1, risk “critical”). Malicious actors with low privileges and network access can exploit another path traversal vulnerability to manipulate files of the underlying operating system and thus obtain sensitive information (CVE-2026-34911, CVSS 7.7, risk “high”).

Ubiquiti lists the affected device and software versions in the release announcement. Anyone using devices from the manufacturer should check if their devices are affected and promptly apply the update to UniFi OS Server 5.0.8 and more specific device updates from the list provided.

In mid-March, administrators had to close a critical security vulnerability in the Ubiquiti UniFi Network Application with an update. This allowed attackers to gain unauthorized access, for example.

(dmk)