UBIQUITI has patched two vulnerabilities in its UniFi Network app, including a maximum-severity flaw that could enable account takeover. The issue tracked as CVE-2026-22557 (CVSS 10.0) affects UniFi Network application version 10.1.85 and earlier, and an attacker on the network could exploit a path traversal flaw to access system files and potentially take over user accounts.
The second flaw, CVE-2026-22558 (CVSS 7.7), resides in the UniFi Network app and could allow a malicious actor with authenticated network access to escalate privileges via an authenticated NoSQL injection vulnerability. The advisory notes that versions 10.1.89 or later address the vulnerabilities. The article reports that the disclosure and fixes were communicated by Security Affairs author Pierluigi Paganini on 19 March 2026, in relation to Ubiquiti fixing the two UniFi vulnerabilities.
The impact is described as potential unauthorised access and privilege escalation for users managing UniFi devices such as access points, switches, and gateways.