UBIQUITI has released patches for seven critical vulnerabilities in UniFi OS, including the severe CVE-2026-50746, which allows command injection in the UniFi Connect Application with a CVSS score of 10.0. Affected versions include 3.4.16 and earlier.
Other vulnerabilities include CVE-2026-50747 (9.9, SQL injection), CVE-2026-50748 (9.9, improper input validation), CVE-2026-54400 (9.1, improper access control), CVE-2026-54402 (9.9, SSRF), CVE-2026-55115 (9.9, CORS misconfiguration), and CVE-2026-55116 (9.0, unauthorized changes). Ubiquiti recommends updating immediately to mitigate risks, and has not confirmed any exploitation of these vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Ubiquiti vulnerabilities to its known exploited vulnerabilities catalog.