All incidents

Ubiquiti patches critical command injection flaw in UniFi Connect (CVE-2026-50746)

vulnerabilityopenJul 7, 2026 — Jul 8, 2026
Ubiquiti patches critical command injection flaw in UniFi Connect

UBIQUITI has issued a security update for its UniFi Connect application after researchers identified a critical command injection vulnerability that could allow remote code execution on affected devices. The flaw, recorded as CVE-2026-50746, carries the maximum CVSS score of 10.0, indicating it can be exploited without authentication and with low complexity. An attacker who can reach the UniFi Connect service over the network may inject arbitrary commands and gain full control of the host system. The vendor rates the issue as a high priority for all deployments.

The vulnerable component is the UniFi Connect app itself, with all releases prior to version 3.4.20 susceptible to the injection. The vulnerability occurs when specially crafted data is processed by the application’s management interface, allowing the injection of shell commands that execute with the privileges of the service. Upgrading to UniFi Connect 3.4.20 or later removes the flawed code path and restricts input validation to prevent abuse. Ubiquiti notes that the attack requires only network access, no valid credentials, and can be carried out using standard tools such as curl or a custom script.

This fix forms part of UniFi Security Advisory Bulletin 066, which outlines a total of twenty five security issues spanning the broader UniFi ecosystem. Besides the command injection, the advisory lists multiple SQL injection vulnerabilities, several server side request forgery flaws, path traversal weaknesses and authentication bypass problems that affect various UniFi controllers, access points and switches.

While some of these additional defects require a legitimate account to exploit, chaining them with the command injection could enable an attacker to move from a low privilege foothold to full administrative control over network infrastructure.

At the time of the advisory Ubiquiti had not detected any active exploitation of CVE-2026-50746 in the wild and no malware families or threat actor groups have been publicly linked to the flaw. Security researchers note that a proof of concept demonstrating the command injection has been shared on public forums, which raises the chance that opportunistic actors could attempt to scan for unpatched UniFi Connect instances. Organizations are therefore advised to treat the vulnerability as a pressing concern even in the absence of confirmed attacks.

Network administrators should prioritize updating UniFi Connect to version 3.4.20 or newer, which can be performed through the UniFi Network controller interface or by downloading the package directly from Ubiquiti’s support portal. In parallel, it is wise to limit access to the UniFi Connect management port to trusted subnets, enforce multi factor authentication where possible and monitor system logs for unexpected process spawns or command line arguments. Regular vulnerability scanning and penetration testing can also help confirm that the mitigations are effective and that no residual exposure remains.

Maintaining an up to date inventory of all UniFi devices and subscribing to vendor security announcements helps ensure that similar issues are identified before they can be leveraged in an attack. The full details of UniFi Security Advisory Bulletin 066 are available from the vendor’s portal, while additional analysis and mitigation guidance can be found in external blogs. Readers may consult the official advisory here, a detailed overview from SocRadar here and a summary from SecurityOnline here.

Intelligence briefing updated Jul 8, 2026

CVE-2026-50746 10.0
Root sourcecommunity.ui.com
Timeline Coverage

Swipe to explore timeline