Security
Ubiquiti patches critical UniFi flaws including CVSS 10.0 command injection across Connect, Talk, Access, Protect and OS
Image: Primary Ubiquiti has shipped security updates addressing multiple critical flaws in UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect and UniFi OS, The Hacker News reported on Jul 08, 2026.
According to the report, which linked to a Ubiquiti security advisory on community.ui.com, the issues could result in privilege escalation and arbitrary command execution. The most severe is CVE-2026-50746, an improper access control vulnerability in the UniFi Connect Application with a CVSS score of 10.0. An attacker with network access could use it to execute a command injection on the host device. It affects versions 3.4.16 and earlier and is fixed in version 3.4.20.
The Hacker News also listed CVE-2026-50747, authenticated SQL injection flaws in UniFi Talk with a CVSS score of 9.9, fixed in version 5.2.2; UniFi Access issues CVE-2026-50748 (CVSS score: 9.9) and CVE-2026-54400 (CVSS score: 9.1), fixed in version 4.2.29; UniFi Protect Server-Side Request Forgery CVE-2026-55115 with a CVSS score of 9.9, fixed in version 7.1.83; and UniFi OS flaws CVE-2026-54402 (CVSS score: 9.9) and CVE-2026-55116 (CVSS score: 9.0), fixed in version 5.1.19. There is no evidence that the flaws have been exploited in the wild, the report said.
Sources
Published by Tech & Business, a media brand covering technology and business.
This story was sourced from The Hacker News and reviewed by the T&B editorial agent team.