CVE-2026-34909 - Vulnerability Details

- UniFi OS Path Traversal allows unauthorized system account access

Description

A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.

Published: 2026-05-22

Score: 10 Critical

EPSS: 2.3% Low

KEV: Yes

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Ubiquiti Inc

UniFi OS Server

unaffected

Version	Status	Constraints
`0`	affected	< 5.0.8

Ubiquiti Inc

Express

unaffected

Version	Status	Constraints
`0`	affected	< 4.0.14

Ubiquiti Inc

UDM

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UDM-Pro

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UDM-SE

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UDM-Pro-Max

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UDM-Beast

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.11

Ubiquiti Inc

EFG

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UDW

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UDR

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UDR7

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UDR-5G

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

Express 7

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UNVR

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UNVR-Pro

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UNVR-Instant

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UNVR-G2

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UNVR-G2-Pro

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

ENVR

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

ENVR-Core

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UNAS-2

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.10

Ubiquiti Inc

UNAS-4

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.10

Ubiquiti Inc

UNAS-Pro

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.10

Ubiquiti Inc

UNAS-Pro-4

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.10

Ubiquiti Inc

UNAS-Pro-8

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.10

Ubiquiti Inc

UCKP

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UCK

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UCK-Enterprise

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UCG-Ultra

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UCG-Max

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UCG-Fiber

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

Ubiquiti Inc

UCG-Industrial

unaffected

Version	Status	Constraints
`0`	affected	< 5.1.12

No data.

Vendor Product Confidence Versions

Ubiquiti

Efg

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Envr

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Envr-core

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Express 7

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Ucg-fiber

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Ucg-industrial

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Ucg-max

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Ucg-ultra

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Uck

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Uck-enterprise

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Uckp

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Udm

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Udm-beast

100%

Version	Status	Scheme	Platform
`[0,5.1.11)`	affected	semver	—

Ubiquiti

Udm-pro

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Udm-pro-max

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Udm-se

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Udr

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Udr-5g

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Udr7

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Udw

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Unas-2

100%

Version	Status	Scheme	Platform
`[0,5.1.10)`	affected	semver	—

Ubiquiti

Unas-4

100%

Version	Status	Scheme	Platform
`[0,5.1.10)`	affected	semver	—

Ubiquiti

Unas-pro

100%

Version	Status	Scheme	Platform
`[0,5.1.10)`	affected	semver	—

Ubiquiti

Unas-pro-4

100%

Version	Status	Scheme	Platform
`[0,5.1.10)`	affected	semver	—

Ubiquiti

Unas-pro-8

100%

Version	Status	Scheme	Platform
`[0,5.1.10)`	affected	semver	—

Ubiquiti

Unifi Os

100%

Version	Status	Scheme	Platform
`[0,5.0.8)`	affected	semver	—

Ubiquiti

Unvr

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Unvr-g2

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Unvr-g2-pro

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Unvr-instant

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Ubiquiti

Unvr-pro

100%

Version	Status	Scheme	Platform
`[0,5.1.12)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since June 23, 2026.

The EPSS score is 0.02269.

Exploitation active

Automatable yes

Technical Impact total

References

Link	Providers
https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34909
https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/

History

Wed, 24 Jun 2026 11:00:00 +0000

Type	Values Removed	Values Added
Title		UniFi OS Path Traversal allows unauthorized system account access

Wed, 24 Jun 2026 08:45:00 +0000

Type	Values Removed	Values Added
Title	Path Traversal in Ubiquiti UniFi OS Devices Allows Unauthorized System Account Access

Wed, 24 Jun 2026 05:45:00 +0000

Type	Values Removed	Values Added
Title		Path Traversal in Ubiquiti UniFi OS Devices Allows Unauthorized System Account Access

Tue, 23 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Title	Path Traversal Vulnerability in UniFi OS Devices Allows Unauthorized System Access

Tue, 23 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34909 https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 23 Jun 2026 18:00:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2026-06-23T00:00:00+00:00', 'dueDate': '2026-06-26T00:00:00+00:00'}`

Fri, 22 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 22 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ubiquiti Ubiquiti efg Ubiquiti envr Ubiquiti envr-core Ubiquiti express 7 Ubiquiti ucg-fiber Ubiquiti ucg-industrial Ubiquiti ucg-max Ubiquiti ucg-ultra Ubiquiti uck Ubiquiti uck-enterprise Ubiquiti uckp Ubiquiti udm Ubiquiti udm-beast Ubiquiti udm-pro Ubiquiti udm-pro-max Ubiquiti udm-se Ubiquiti udr Ubiquiti udr-5g Ubiquiti udr7 Ubiquiti udw Ubiquiti unas-2 Ubiquiti unas-4 Ubiquiti unas-pro Ubiquiti unas-pro-4 Ubiquiti unas-pro-8 Ubiquiti unifi Os Ubiquiti unvr Ubiquiti unvr-g2 Ubiquiti unvr-g2-pro Ubiquiti unvr-instant Ubiquiti unvr-pro
Vendors & Products		Ubiquiti Ubiquiti efg Ubiquiti envr Ubiquiti envr-core Ubiquiti express 7 Ubiquiti ucg-fiber Ubiquiti ucg-industrial Ubiquiti ucg-max Ubiquiti ucg-ultra Ubiquiti uck Ubiquiti uck-enterprise Ubiquiti uckp Ubiquiti udm Ubiquiti udm-beast Ubiquiti udm-pro Ubiquiti udm-pro-max Ubiquiti udm-se Ubiquiti udr Ubiquiti udr-5g Ubiquiti udr7 Ubiquiti udw Ubiquiti unas-2 Ubiquiti unas-4 Ubiquiti unas-pro Ubiquiti unas-pro-4 Ubiquiti unas-pro-8 Ubiquiti unifi Os Ubiquiti unvr Ubiquiti unvr-g2 Ubiquiti unvr-g2-pro Ubiquiti unvr-instant Ubiquiti unvr-pro

Fri, 22 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
Title		Path Traversal Vulnerability in UniFi OS Devices Allows Unauthorized System Access

Fri, 22 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.
Weaknesses		CWE-22
References		https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Ubiquiti Efg Envr Envr-core Express 7 Ucg-fiber Ucg-industrial Ucg-max Ucg-ultra Uck Uck-enterprise Uckp Udm Udm-beast Udm-pro Udm-pro-max Udm-se Udr Udr-5g Udr7 Udw Unas-2 Unas-4 Unas-pro Unas-pro-4 Unas-pro-8 Unifi Os Unvr Unvr-g2 Unvr-g2-pro Unvr-instant Unvr-pro

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2026-05-22T00:43:49.072Z

Updated: 2026-06-24T03:56:19.760Z

Reserved: 2026-03-31T15:00:06.521Z

Link: CVE-2026-34909

Vulnrichment

Updated: 2026-05-22T17:27:36.870Z

NVD

Status : Deferred

Published: 2026-05-22T02:16:34.390

Modified: 2026-06-17T10:39:49.337

Link: CVE-2026-34909

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T10:45:03Z

Weaknesses

CWE-22

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation active

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object