Ubiquiti Addresses Severe Vulnerabilities in UniFi OS Server
Ubiquiti, a prominent player in the networking technology space, has taken significant measures to rectify three critical vulnerabilities that affect the UniFi OS Server. These vulnerabilities are particularly alarming because they can be combined to enable attackers to perform unauthenticated remote code execution (RCE) with root privileges, potentially jeopardizing the security of affected systems.
The vulnerabilities were revealed on May 21, 2026, through Security Advisory Bulletin 064 (SAB-064) and are cataloged under the identifiers CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. Each of these vulnerabilities has been assigned the maximum severity score of 10.0 on the Common Vulnerability Scoring System (CVSS 3.1), indicating a critical level of risk. Security experts from Bishop Fox conducted a thorough demonstration of the exploit chain on the affected version 5.0.6, which illustrated that a single meticulously crafted HTTP request could yield a root shell, all without the need for credentials or user interaction.
Detailed Exploration of the Vulnerabilities
The initial phase of the attack revolves around exploiting an Authentication Gateway Bypass vulnerability, specifically related to CVE-2026-34908 and CVE-2026-34909. In this scenario, the Nginx authentication handler assesses the raw, percent-encoded request URI to ascertain if a particular route is exempt from authentication. However, the issue arises because Nginx selects the upstream backend using a normalized URI, where percent-encoded characters such as %2f decode to /, and directory traversal sequences are collapsed.
This flaw enables attackers to bypass authentication by prefixing requests with the auth-exempt endpoint /api/auth/validate-sso/ and using normalized paths to access routes that typically require authentication, according to insights shared by Bishop Fox.
Following the successful bypass, attackers can then exploit a Command Injection vulnerability in the package-update service, linked to CVE-2026-34910. This service accepts user-supplied package names, which it integrates into a command string executed via sh -c. The lack of strict input validation in version 5.0.6 allows shell metacharacters to be interpreted directly, enabling attackers to execute commands under the ucs-update service account.
The implications of this vulnerability are severe, as this service account possesses passwordless sudo capabilities for critical binaries like /usr/bin/dpkg and /bin/systemctl. Through this, attackers can easily elevate their access to full root privileges by installing a maliciously constructed .deb package.
Achieving root access on a UniFi OS appliance grants attackers comprehensive control over an organization’s network management systems. Threat actors can extract the JSON Web Token (JWT) signing key, which can be used to forge persistent administrator sessions that are resilient to patching, password resets, and even system reboots. According to the findings of Bishop Fox, a forged owner-scope JWT token, generated using a stolen key, will remain valid, even on fully patched consoles in version 5.0.8.
While Ubiquiti has issued patches that close this initial exploit vector, they do not address the fundamental flaws in the token verification model. Consequently, compromised keys will continue to yield valid sessions indefinitely, raising serious security concerns.
Moreover, the ramifications of these vulnerabilities extend far beyond mere network control. Attackers can potentially exfiltrate critical data such as TLS private keys, cloud access tokens, and the complete PostgreSQL user database. The security breach can infiltrate physical security measures as well. In environments using UniFi Access and UniFi Protect, attackers could unlock doors, clone NFC and facial-recognition credentials, monitor live surveillance feeds, and even delete recorded footage permanently.
Recommended Mitigation Measures
In light of these vulnerabilities, Ubiquiti strongly advises administrators to promptly upgrade to UniFi OS Server version 5.0.8 or its hardware-equivalent version. According to SAB-064, most Cloud Gateways will need to be updated to version 5.1.12, the UNAS line to 5.1.10, the Dream Machine Beast to 5.1.11, and UniFi Express to 4.0.14.
Organizations are urged to treat any externally exposed, unpatched instance as fully compromised. It is recommended that these instances be rebuilt from a known-good image rather than merely patched.
Implementing the following measures can help mitigate risks:
- Restrict TCP port 11443 to a dedicated management VLAN and block all external access.
- Rotate JWT signing keys, TLS keys, cloud access tokens, RADIUS secrets, and database credentials prior to system reboots.
- Treat biometric and NFC data as permanently compromised, as these credentials cannot be effectively rotated.
In conclusion, these vulnerabilities present a serious risk not only to digital infrastructure but also to physical security environments. Ubiquiti’s immediate response and the steps taken to mitigate these risks demonstrate the company’s commitment to ensuring the security of its products and user environments. Organizations must prioritize these updates and best practices to safeguard against potential exploitation.