Executive Summary
Ubiquiti has disclosed CVE-2026-50747, a series of authenticated SQL injection vulnerabilities in the UniFi Talk Application that carry a CVSS score of 9.9 (Critical). A low-privileged network attacker can chain these flaws to escalate privileges on the host device, ultimately gaining control far beyond the application layer.
CVSS Score: 9.9 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-50747 |
| CVSS Score | 9.9 (Critical) |
| Type | SQL Injection → Privilege Escalation |
| Product | UniFi Talk Application |
| Vendor | Ubiquiti Networks |
| Attack Vector | Network |
| Authentication | Low privileges required |
| Privileges Required | Low |
| User Interaction | None |
| Impact | Host-level privilege escalation |
| Published | 2026-07-02 |
Technical Details
The vulnerability is described as a series of authenticated SQL Injection vulnerabilities — meaning multiple injection points exist within the application. Individually each may be limited in scope, but chaining them enables an attacker with low network privileges to escalate to full host-level access.
Vulnerability Chain
1. Low-privileged attacker authenticates to UniFi Talk Application
2. Identifies one or more SQL injection endpoints
3. Crafts injection payloads to read/write internal database
4. Leverages database access to extract or manipulate application data
5. Chains additional injection points to reach OS-level execution or credential access
6. Achieves privilege escalation on the host deviceSQL Injection Characteristics
| Property | Detail |
|---|---|
| Injection Type | Multiple authenticated endpoints |
| Database Impact | Read, write, and potentially command execution |
| Chaining Required | Yes — multiple flaws combine for host escalation |
| Low-Privilege Trigger | Any authenticated user can initiate |
Affected Products and Remediation
| Product | Status |
|---|---|
| UniFi Talk Application | Patch available — update immediately |
Administrators should update through the UniFi OS System settings to the latest patched version.
Immediate Actions
- Update UniFi Talk Application immediately via UniFi OS
- Audit low-privilege accounts on UniFi Talk — minimize the number of active accounts
- Restrict network access to UniFi Talk management interfaces to trusted VLANs only
- Review database logs for anomalous queries or bulk data reads
- Monitor for unexpected process activity on UniFi OS devices running Talk
- Rotate credentials stored within or managed by UniFi Talk
Risk Context
VoIP and Communications Infrastructure
UniFi Talk is Ubiquiti's VoIP management application, used in offices and campuses to run IP phone systems. Compromise of this application can:
- Intercept voice communications on the managed phone system
- Access call records and voicemail data
- Pivot to the host device and from there into the broader network
- Disrupt communications infrastructure — phone systems are often considered critical business services
Why SQL Injection Still Matters
Despite being a well-understood vulnerability class, SQL injection remains prevalent because:
- Complex applications with multiple developers often have inconsistent input validation
- Multi-point injection chains are harder to catch in code review than single-endpoint flaws
- Authenticated endpoints receive less scrutiny in security testing than unauthenticated ones
The "series of vulnerabilities" language in the advisory suggests this was not a simple oversight — multiple endpoints share the same underlying failure to properly parameterize queries.
Detection
| Indicator | Detection Method |
|---|---|
| Unusual SQL query patterns in application logs | Database query logging |
| Elevated process spawning from Talk application | Host process monitoring |
| Large data reads from the UniFi Talk database | Database audit logs |
| Unexpected admin-level operations by low-privilege accounts | Application audit logs |