Ubiquiti CVE-2026-50746: Patch Critical UniFi Flaws

Ubiquiti patched seven critical UniFi vulnerabilities, including CVE-2026-50746, a CVSS 10.0 command-injection issue in UniFi Connect. Update exposed controllers and appliances now.

Ubiquiti has released fixes for seven critical vulnerabilities across the UniFi ecosystem, led by CVE-2026-50746, a CVSS 10.0 flaw in UniFi Connect that can allow command injection on the host device when the vulnerable service is reachable from the network.[1][2] Administrators should treat this as an urgent maintenance window, especially where UniFi controllers, gateways, access systems, voice systems, NVRs, or building-automation interfaces are exposed beyond a tightly controlled management network.

The most severe issue affects UniFi Connect Application 3.4.16 and earlier; Ubiquiti’s fix target is 3.4.20 or later.[3] The same advisory set also covers critical bugs in UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS, including SQL injection, command injection, SSRF, and access-control failures. Public reporting lists fixed versions as UniFi Talk 5.2.2, UniFi Access 4.2.29, UniFi Protect 7.1.83, and UniFi OS 5.1.19 for the affected product lines.[4]

What UniFi administrators should check now

There is no confirmed in-the-wild exploitation of this new Bulletin 066 batch at publication time, but the context is uncomfortable: CISA added a separate UniFi OS chain, CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, to its Known Exploited Vulnerabilities catalog in June after real-world attacks were observed.[5] That earlier chain shows why critical UniFi bugs should not sit in a normal monthly patch queue.

Start with inventory. Find UniFi Network/OS consoles, Cloud Gateways, Protect NVRs, Access hubs, Talk installations, and Connect deployments. Confirm their application and OS versions from the UniFi console rather than relying only on package names. If a controller is reachable from the public internet, VPN-only management or strict source-IP allowlisting should be reviewed before the patch window closes.

For incident triage, look for unexpected administrator accounts, new API tokens, unknown remote-access settings, unexplained device-adoption changes, and commands or scripts run from the UniFi host around the patch window. Also review firewall/NAT rules and outbound traffic from UniFi appliances. Compromised network devices are often used as traffic relays; recent campaigns against routers and edge devices, including AryStinger’s D-Link router proxy activity and C0XMO’s DD-WRT botnet abuse, are useful reminders that a management appliance can become infrastructure for someone else’s attack.

The practical priority is simple: update the affected UniFi applications and UniFi OS components, reduce management exposure, then verify that the environment did not already drift into an unsafe state. If you administer multi-site UniFi deployments for clients, document which sites were updated and which remain unreachable, because an unpatched remote controller is the kind of asset that gets rediscovered after a scan wave, not before it.

References

  1. Ubiquiti Community, Security Advisory Bulletin 066.
  2. NIST National Vulnerability Database, CVE-2026-50746 Detail.
  3. CVE Program, CVE-2026-50746 Record.
  4. The Hacker News, Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS, July 8, 2026.
  5. CISA, Known Exploited Vulnerabilities Catalog.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment