Executive Summary
Ubiquiti has disclosed a critical command injection vulnerability in the UniFi Connect Application tracked as CVE-2026-50746 with a maximum CVSS score of 10.0. A malicious actor with access to the network can exploit an Improper Access Control weakness to inject and execute OS-level commands directly on the host device — no elevated privileges required beyond basic network reachability.
CVSS Score: 10.0 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-50746 |
| CVSS Score | 10.0 (Critical) |
| Type | Command Injection via Improper Access Control |
| Product | UniFi Connect Application |
| Vendor | Ubiquiti Networks |
| Attack Vector | Network |
| Authentication | Network access sufficient (no host auth required beyond network reach) |
| Privileges Required | None beyond network access |
| User Interaction | None |
| Impact | Full OS command execution on host device |
| Published | 2026-07-02 |
Technical Details
The vulnerability stems from Improper Access Control in the UniFi Connect Application's network-facing interface. An attacker positioned on the network can craft a malicious request that bypasses intended access controls and passes unsanitized input directly to OS-level command execution routines.
Attack Surface
UniFi Connect is a Ubiquiti platform used to manage physical access control systems — door readers, intercoms, and connected entry hardware. The application runs on UniFi OS-based devices and is accessible over the local network (and often the internet in misconfigured deployments).
Attack Flow
1. Attacker gains network access to the UniFi Connect host
2. Sends crafted request exploiting Improper Access Control flaw
3. Application passes attacker-controlled input to OS command handler
4. Arbitrary command executes on the underlying host system
5. Attacker achieves full control of the host deviceWhy CVSS 10.0
The maximum possible score reflects:
- No authentication required beyond network reachability
- No user interaction needed
- Full confidentiality, integrity, and availability impact on the host
- Trivially reachable attack surface (standard network protocol)
Affected Products and Remediation
| Product | Status |
|---|---|
| UniFi Connect Application | Patch available — update immediately |
Ubiquiti has released a patched version addressing this vulnerability. Administrators should update through the UniFi OS System settings immediately.
Immediate Actions
- Update UniFi Connect Application to the latest patched version via UniFi OS
- Audit network exposure — restrict UniFi OS management interfaces from public internet access
- Enable UniFi Network Application firewall rules to limit management plane access to trusted hosts
- Review access logs on UniFi Connect hosts for anomalous command activity
- Segment IoT/access-control networks from corporate infrastructure
Risk Context
Physical Access Control Implications
UniFi Connect manages physical security infrastructure. A successful exploit does not merely compromise a software application — it can:
- Disable or manipulate door locks and access readers
- Grant unauthorized physical building access
- Destroy audit trails for physical entry events
- Pivot into broader corporate network from the access control segment
This cross-domain impact (cyber → physical) significantly elevates the real-world risk beyond what the CVSS score alone conveys.
Ubiquiti Deployment Scale
Ubiquiti's UniFi product line is extremely popular in SMB, enterprise, and campus environments. The broad deployment footprint means this vulnerability has a correspondingly large attack surface if mass-scanning or exploitation campaigns begin.
Detection
| Indicator | Detection Method |
|---|---|
| Unexpected process spawning from UniFi Connect service | Host process monitoring |
| Anomalous outbound connections from UniFi OS device | Network egress monitoring |
| Modified configuration or credential files | File integrity monitoring |
| Failed auth attempts followed by command execution | Log analysis |