Published 2026-03-20 by TechNet New England
Ubiquiti has disclosed two critical vulnerabilities in its UniFi Network Application that require immediate patching. The most severe, CVE-2026-22557, carries the maximum CVSS score of 10.0 and allows attackers to take over accounts without any authentication.
What's the Risk?
The vulnerability is a Path Traversal flaw that allows attackers with network access to:
- Access sensitive files on the underlying operating system
- Manipulate system files
- Achieve complete account takeover
No authentication, no user interaction, and no special conditions are required to exploit this remotely.
If your UniFi controller is exposed to the internet (even through port forwarding), this is an emergency.
The Two Vulnerabilities
| CVE | Severity | CVSS | Type | Auth Required? |
|---|---|---|---|---|
| CVE-2026-22557 | Critical | 10.0 | Path Traversal | No |
| CVE-2026-22558 | High | 7.7 | NoSQL Injection | Yes |
CVE-2026-22558 requires authentication but can be used for privilege escalation once an attacker has low-level access.
Affected Versions
UniFi Network Application version 10.1.85 and earlier are vulnerable.
This includes:
- Self-hosted UniFi Network Application
- UniFi Dream Machine (UDM) series
- UniFi Cloud Key
- UniFi Express (UX)
The Fix
Update to one of these patched versions immediately:
| Product | Fixed Version |
|---|---|
| UniFi Network Application (Official) | 10.1.89 or later |
| UniFi Network Application (RC) | 10.2.97 or later |
| UniFi Express (UX) Firmware | 4.0.13 or later |
How to Update
For UDM/UDM-Pro/UDM-SE:
- Log into your UniFi Console
- Go to Settings → System → Updates
- Enable "Release Candidate" if you don't see the update
- Click Update
For Self-Hosted Controllers:
- Download the latest version from Ubiquiti Downloads
- Stop the UniFi service
- Install the update
- Restart the service
For Cloud Keys:
- Log into the Cloud Key
- Go to Settings → Updates
- Apply any available firmware and application updates
Immediate Mitigations (If You Can't Update Yet)
If you need time before updating:
- Block external access to the UniFi controller (ports 8443, 8080)
- Disable remote management if enabled
- Segment the network so only trusted VLANs can reach the controller
- Check for unauthorized admin accounts in the UniFi console
How to Check Your Version
- Log into your UniFi Network Application
- Click the gear icon (Settings)
- Go to System
- Look for "Network Application Version"
If it shows 10.1.85 or lower, you're vulnerable.
Credit
The vulnerabilities were discovered by security researcher Garett Kopcha (@0x5t) and responsibly disclosed to Ubiquiti.
References
- Ubiquiti Security Advisory Bulletin 056
- BleepingComputer - Ubiquiti UniFi Flaw
- Security Affairs - Critical Ubiquiti Flaw
Need Help?
If you're running UniFi equipment and aren't sure whether you're affected or how to update safely, we can help. A quick review of your network setup can ensure you're protected against this and other vulnerabilities.