Description
A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to obtain sensitive information.
Published: 2026-05-22
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal vulnerability exists in the UniFi OS device web interface that allows an attacker with limited network access to supply a crafted file path and read arbitrary files from the underlying operating system. The disclosed files may contain sensitive configuration data, authentication credentials or system logs, giving the adversary confidential information that could be used to further compromise the network.

Affected Systems

Affected devices include a wide range of Ubiquiti UniFi OS products such as EFG, ENVR, ENVR‑Core, Express 7, UCG‑Fiber, UCG‑Industrial, UCG‑Max, UCG‑Ultra, UCK, UCK‑Enterprise, UCKP, UDM, UDM‑Beast, UDM‑Pro, UDM‑Pro‑Max, UDM‑SE, UDR, UDR‑5G, UDR7, UDW, UNAS‑2, UNAS‑4, UNAS‑Pro, UNAS‑Pro‑4, UNAS‑Pro‑8, UNVR, UNVR‑G2, UNVR‑G2‑Pro, UNVR‑Instant, UNVR‑Pro, and UniFi OS Server. The advisory does not list specific firmware versions; the flaw is present in all firmware builds prior to the vendor’s fix.

Risk and Exploitability

The CVSS base score of 7.7 indicates a high risk to confidentiality. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be an internal or tunnelled network connection to the device’s management interface, where an actor with low privileges crafts a malicious path. Even without publicly known exploits, the potential for sensitive data disclosure makes timely remediation critical.

Generated by OpenCVE AI on May 22, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Ubiquiti that includes the path‑traversal fix when it becomes available.
  • Restrict the device’s web interface to a trusted internal network or VPN, and configure firewall rules to block all other external access.
  • Implement network segmentation to isolate UniFi OS devices from less‑trusted segments and limit lateral movement by any compromised workstations.

Generated by OpenCVE AI on May 22, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Ubiquiti
Ubiquiti efg
Ubiquiti envr
Ubiquiti envr-core
Ubiquiti express 7
Ubiquiti ucg-fiber
Ubiquiti ucg-industrial
Ubiquiti ucg-max
Ubiquiti ucg-ultra
Ubiquiti uck
Ubiquiti uck-enterprise
Ubiquiti uckp
Ubiquiti udm
Ubiquiti udm-beast
Ubiquiti udm-pro
Ubiquiti udm-pro-max
Ubiquiti udm-se
Ubiquiti udr
Ubiquiti udr-5g
Ubiquiti udr7
Ubiquiti udw
Ubiquiti unas-2
Ubiquiti unas-4
Ubiquiti unas-pro
Ubiquiti unas-pro-4
Ubiquiti unas-pro-8
Ubiquiti unifi Os
Ubiquiti unvr
Ubiquiti unvr-g2
Ubiquiti unvr-g2-pro
Ubiquiti unvr-instant
Ubiquiti unvr-pro
Vendors & Products Ubiquiti
Ubiquiti efg
Ubiquiti envr
Ubiquiti envr-core
Ubiquiti express 7
Ubiquiti ucg-fiber
Ubiquiti ucg-industrial
Ubiquiti ucg-max
Ubiquiti ucg-ultra
Ubiquiti uck
Ubiquiti uck-enterprise
Ubiquiti uckp
Ubiquiti udm
Ubiquiti udm-beast
Ubiquiti udm-pro
Ubiquiti udm-pro-max
Ubiquiti udm-se
Ubiquiti udr
Ubiquiti udr-5g
Ubiquiti udr7
Ubiquiti udw
Ubiquiti unas-2
Ubiquiti unas-4
Ubiquiti unas-pro
Ubiquiti unas-pro-4
Ubiquiti unas-pro-8
Ubiquiti unifi Os
Ubiquiti unvr
Ubiquiti unvr-g2
Ubiquiti unvr-g2-pro
Ubiquiti unvr-instant
Ubiquiti unvr-pro

Fri, 22 May 2026 03:45:00 +0000

Type Values Removed Values Added
Title Path Traversal Vulnerability in UniFi OS Devices Allows Unauthorized File Access

Fri, 22 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to obtain sensitive information.
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Ubiquiti Efg Envr Envr-core Express 7 Ucg-fiber Ucg-industrial Ucg-max Ucg-ultra Uck Uck-enterprise Uckp Udm Udm-beast Udm-pro Udm-pro-max Udm-se Udr Udr-5g Udr7 Udw Unas-2 Unas-4 Unas-pro Unas-pro-4 Unas-pro-8 Unifi Os Unvr Unvr-g2 Unvr-g2-pro Unvr-instant Unvr-pro
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-22T12:37:48.894Z

Reserved: 2026-03-31T15:00:06.521Z

Link: CVE-2026-34911

cve-icon Vulnrichment

Updated: 2026-05-22T12:37:44.037Z

cve-icon NVD

Status : Deferred

Published: 2026-05-22T02:16:34.667

Modified: 2026-05-22T16:22:31.900

Link: CVE-2026-34911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:38:17Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')