CVE-2026-22557CVSS 9.8CRITICAL
This vulnerability is rated as CRITICAL due to its high severity and low complexity for exploitation. The path traversal flaw can be exploited with relative ease, potentially allowing complete account takeover without user interaction. Patches are available in versions 10.1.89 and later; however, the window of exposure was significant before these patches were released.

A critical vulnerability, CVE-2026-22557, has been identified in the UniFi Network Application (UniFi Controller) affecting versions up to and including 10.1.85. This maximum-severity flaw enables unprivileged attackers to exploit a path traversal vulnerability to access sensitive files on targeted devices. By doing so, they can potentially hijack user accounts without requiring any interaction from users. Additionally, Ubiquiti has addressed another issue related to an authenticated NoSQL Injection that allows low-privilege actors to escalate their privileges within the application. These vulnerabilities pose significant risks as they could enable attackers to gain unauthorized access and control over network configurations, leading to potential disruption of services or data breaches.

Affected Systems
  • UniFi Network Application
Affected Versions: All versions up to and including 10.1.85
Remediation
  • Upgrade UniFi Network Application to version 10.1.89 or later using the command: `sudo apt-get update && sudo apt-get install unifi`
  • Review system logs for any signs of unauthorized access during the window of exposure.
  • Change passwords for all user accounts as a precautionary measure.
Stack Impact

This vulnerability has significant impact on common homelab stacks using Ubiquiti networking hardware. Specifically, versions of UniFi Network Application below 10.1.89 are at risk and should be upgraded immediately.

Source →