Executive Summary
Ubiquiti has disclosed CVE-2026-50748, an Improper Input Validation vulnerability in the UniFi Access Application with a CVSS score of 9.9 (Critical). A malicious actor with low network privileges can exploit this flaw to execute a command injection on the underlying host device, achieving arbitrary OS-level code execution.
CVSS Score: 9.9 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-50748 |
| CVSS Score | 9.9 (Critical) |
| Type | Command Injection via Improper Input Validation |
| Product | UniFi Access Application |
| Vendor | Ubiquiti Networks |
| Attack Vector | Network |
| Authentication | Low privileges required |
| Privileges Required | Low |
| User Interaction | None |
| Impact | OS command execution on host device |
| Published | 2026-07-02 |
Technical Details
The vulnerability is an Improper Input Validation flaw where attacker-controlled input reaches an OS command execution context without adequate sanitization. Unlike CVE-2026-50746 (which requires only network access), this flaw requires low-level authenticated access to the UniFi Access Application — still a low bar for an insider threat or an attacker who has obtained any valid credential.
Attack Flow
1. Attacker obtains low-privileged credentials for UniFi Access Application
2. Sends request with crafted input containing OS command injection payload
3. Application fails to validate/sanitize the input before passing to OS layer
4. Injected commands execute with application process privileges on the host
5. Attacker achieves code execution on the UniFi Access host deviceComparison with CVE-2026-50746
| Property | CVE-2026-50746 | CVE-2026-50748 |
|---|---|---|
| Product | UniFi Connect | UniFi Access |
| CVSS | 10.0 | 9.9 |
| Auth Required | None (network only) | Low privileges |
| Flaw Type | Improper Access Control | Improper Input Validation |
| Impact | RCE on host | RCE on host |
Both vulnerabilities affect UniFi physical access control infrastructure and result in host-level code execution, making them equally dangerous in practice.
Affected Products and Remediation
| Product | Status |
|---|---|
| UniFi Access Application | Patch available — update immediately |
Update via UniFi OS System settings to the latest patched version.
Immediate Actions
- Update UniFi Access Application immediately via UniFi OS
- Minimize the number of low-privilege accounts — each valid account is a potential exploit entry point
- Isolate UniFi Access hosts on a dedicated, monitored network segment
- Disable remote management from untrusted networks — restrict to admin VLANs only
- Audit physical door controller events for unauthorized entries or config changes
- Check for persistence mechanisms on any UniFi Access hosts that may have been exposed
Risk Context
Dual Physical-Cyber Impact
UniFi Access manages physical access control — door readers, NFC/RFID badge systems, and entry controllers. An OS-level compromise of the host running UniFi Access can:
- Remotely unlock doors or disable access restrictions
- Manipulate badge/credential databases to grant or revoke physical access
- Wipe audit trails for physical entry events
- Serve as a pivot point for lateral movement into the corporate network
- Combine with CVE-2026-50746 if both Connect and Access are deployed on the same host
Low-Privilege Threshold
Many organizations extend view-only or limited-admin credentials to facilities staff, contractors, or integrated management systems. Any of these accounts can be used to trigger this vulnerability, meaning the effective attack surface includes third-party integrations and service accounts — not just human users.
Detection
| Indicator | Detection Method |
|---|---|
| Unexpected OS process spawning from UniFi Access service | Host process monitoring |
| Anomalous outbound connections from host | Network egress analysis |
| Physical access log anomalies (unlocks without badge swipes) | Physical security audit |
| Configuration changes to access rules or door schedules | Application audit log |
| Modified files in UniFi Access application directories | File integrity monitoring |