Ubiquiti patches three max severity UniFi OS vulnerabilities

Ubiquiti has released security updates to patch three maximum severity vulnerabilities in Unify OS that can be exploited by remote attackers without privileges.

UniFi OS is a unified operating system that powers UniFi Consoles and helps manage IT infrastructure, including networking, security, and other services, as well as UniFi applications such as UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect.

The first flaw (CVE-2026-34908) enables attackers to make unauthorized changes to targeted systems by exploiting an Improper Access Control weakness in Unify OS, while the second (CVE-2026-34909) allows them to access files on the underlying system by abusing a Path Traversal vulnerability, which could be manipulated to access an underlying account.

A third maximum severity security issue (CVE-2026-34910) makes it possible for malicious actors to launch a command injection attack after gaining network access by exploiting an Improper Input Validation vulnerability.

On Thursday, Ubiquiti also patched a second critical command injection flaw (CVE-2026-33000) and a high-severity information disclosure (CVE-2026-34911), both affecting Unifi OS devices.

Ubiquiti patches three max severity UniFi OS vulnerabilities

Other newsrooms on this story

Related reading

Cisco Patches Critical Vulnerability in Secure Workload

Other newsrooms on this story

Related reading

Cisco Patches Critical Vulnerability in Secure Workload

Fortinet, patch urgenti per due vulnerabilità critiche

CVSS vulnerability triage: 5 failures, 5 fixes

Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege…

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

Cisco serves up yet another perfect 10 bug with Secure Workload admin flaw