🌐 Network

Ubiquiti UniFi CVSS 10 Path Traversal CVE-2026-22557 Enables Full Account Takeover

Ubiquiti disclosed a maximum-severity path traversal vulnerability in the UniFi Network Application that allows unauthenticated attackers to read arbitrary files from the underlying OS and take over controller accounts with no credentials required. Censys identified approximately 87,000 internet-exposed UniFi endpoints at time of disclosure. The vulnerability is frequently chained with a companion NoSQL injection flaw for full administrative access.

3 min read
#ubiquiti#unifi#path-traversal#unauthenticated#account-takeover#nosql-injection#cve-2026-22557#cve-2026-22558#network-management

The Vulnerabilities

Ubiquiti’s security advisory bulletin published on 18 March 2026 disclosed two vulnerabilities in the UniFi Network Application — the centralised controller software used to manage UniFi access points, switches, gateways, and cameras.

CVE-2026-22557 (CVSS 10.0 — maximum severity) is a path traversal vulnerability that allows an unauthenticated attacker with network access to traverse directory boundaries on the server, read arbitrary files from the underlying operating system, and manipulate those files to gain unauthorised access to system accounts. No credentials, no user interaction, and no special network position are required — any network-accessible UniFi controller is exposed.

CVE-2026-22558 (CVSS 7.7 — High) is a companion NoSQL injection flaw in the same application. An authenticated attacker can exploit it to escalate privileges to administrative level. The two vulnerabilities are designed to be chained: CVE-2026-22557 provides the initial unauthenticated file read to extract credentials or session tokens from the controller’s data store; CVE-2026-22558 converts authenticated access to full admin.

What Attackers Can Do

An unauthenticated attacker exploiting CVE-2026-22557 can:

  • Read the UniFi controller’s database configuration files, extracting the MongoDB admin credentials that the application uses internally
  • Access stored user credential hashes and session tokens from the application database
  • Read SSH keys, certificates, and other sensitive files on the underlying server filesystem
  • Use the extracted credentials or tokens to log in to the controller as an existing admin user

Once inside the controller as an administrator, the attacker has full management access over every enrolled network device: they can push firmware updates, modify VLAN and firewall configurations, create rogue SSIDs, capture traffic, or pivot onto managed network segments.

Scope of Exposure

At time of Ubiquiti’s disclosure, Censys was tracking approximately 87,000 internet-exposed UniFi Network Application endpoints, with the largest concentration in the United States (over 28,000). The UniFi Network Application is one of the most widely deployed network management platforms in small and medium enterprises, educational institutions, hospitality, and branch office environments — settings where the controller is frequently left internet-accessible for remote management convenience.

Ubiquiti’s install base for UniFi also includes a substantial prosumer and managed service provider market, meaning compromising a UniFi controller at an MSP could yield access to multiple customer networks managed through a single pane.

Affected Versions

CVE-2026-22557 affects:

  • UniFi Network Application prior to 10.1.89 (stable track)
  • UniFi Network Application prior to 10.2.97 (release candidate track)
  • UniFi Express firmware prior to 4.0.13

Ubiquiti released patched versions alongside the advisory. The fix is available through the standard UniFi update mechanism.

  1. Update the UniFi Network Application immediately to version 10.1.89 or later on the stable track, or 10.2.97 or later on the RC track. If running UniFi Express, update firmware to 4.0.13 or later
  2. Remove internet exposure of the UniFi controller admin interface — the management web UI and API should not be directly internet-accessible. Place it behind a VPN or zero-trust gateway
  3. Rotate admin credentials for the UniFi controller and for the underlying server OS, particularly if the controller was internet-accessible before patching
  4. Review controller access logs for unexpected logins, configuration changes, or firmware pushes between 18 March (disclosure) and the time you applied the patch
  5. Audit managed device configurations — verify that no rogue SSID additions, VLAN changes, or firewall rule modifications were made that you cannot account for in change management records

Managed service providers running centralised UniFi controllers for multiple clients should treat this as a priority-one emergency: a single compromised controller can expose the network environments of all managed customers.