Executive Summary
Ubiquiti has disclosed CVE-2026-54400, an Improper Access Control vulnerability in the UniFi Access Application with a CVSS score of 9.1 (Critical). A malicious actor with high privileges on the network can exploit this flaw to escalate their privileges further on the host device, turning application-level administrative access into OS-level control.
CVSS Score: 9.1 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-54400 |
| CVSS Score | 9.1 (Critical) |
| Type | Improper Access Control → Privilege Escalation |
| Product | UniFi Access Application |
| Vendor | Ubiquiti Networks |
| Attack Vector | Network |
| Authentication | High privileges required |
| Privileges Required | High |
| User Interaction | None |
| Impact | Host-level privilege escalation |
| Published | 2026-07-02 |
Technical Details
While CVE-2026-50748 (also in UniFi Access) requires only low privileges, CVE-2026-54400 is triggered by an attacker who already holds high privileges within the application. The flaw allows that highly privileged application user to break out of the application's access boundaries and escalate to the underlying host operating system.
This is particularly significant in scenarios where:
- Compromised admin accounts are used as the starting point
- Insider threats with legitimate admin credentials seek deeper access
- Chained attacks use CVE-2026-50748 to gain low privilege, escalate to high, then use CVE-2026-54400 for host control
Attack Scenario
Scenario A — Direct Admin Compromise:
1. Attacker obtains high-privilege UniFi Access admin credentials
(phishing, credential stuffing, or prior breach)
2. Exploits CVE-2026-54400 Improper Access Control flaw
3. Application boundaries fail to contain the high-privilege session
4. Attacker achieves OS-level access on the host device
Scenario B — Chained Low-to-Host Escalation:
1. Attacker uses CVE-2026-50748 with low privileges → code execution
2. Code execution used to steal or forge admin-level application tokens
3. CVE-2026-54400 escalates from application admin to host OS
4. Full host compromise achieved from initial low-privilege footholdUbiquiti UniFi Access CVE Cluster (July 2026)
| CVE | CVSS | Auth Required | Impact |
|---|---|---|---|
| CVE-2026-50746 | 10.0 | Network only | RCE on UniFi Connect host |
| CVE-2026-50748 | 9.9 | Low | RCE on UniFi Access host |
| CVE-2026-54400 | 9.1 | High | Priv esc on UniFi Access host |
| CVE-2026-50747 | 9.9 | Low | Priv esc on UniFi Talk host |
All four vulnerabilities were disclosed on 2026-07-02, suggesting they were discovered together — potentially in a coordinated security audit or bug bounty research.
Affected Products and Remediation
| Product | Status |
|---|---|
| UniFi Access Application | Patch available — update immediately |
Update via UniFi OS System settings to the latest patched version.
Immediate Actions
- Update UniFi Access Application immediately via UniFi OS
- Audit admin accounts — rotate credentials for all high-privilege UniFi Access accounts
- Enforce MFA on all UniFi admin accounts where possible
- Restrict network access to UniFi OS management interfaces to trusted, monitored VLANs
- Review host-level logs on UniFi Access devices for signs of privilege escalation
- Apply principle of least privilege — reduce the number of high-privilege application accounts
- Monitor for anomalous host-level processes spawned from the UniFi Access application
Risk Context
Why "High Privilege Required" Still Matters
It is tempting to discount vulnerabilities that require high privilege, reasoning that attackers rarely have such access. However:
- Credential theft is common — phishing and infostealer campaigns routinely harvest admin credentials
- Insider threats are real — disgruntled employees or contractors may have legitimate high-privilege access
- Chaining amplifies impact — lower-severity flaws on the same product can be used to reach the high-privilege state needed to trigger this CVE
- Physical-cyber crossover — because UniFi Access controls doors and physical entry, admin account compromise is a higher-value target for motivated attackers
Coordinated Disclosure Pattern
The simultaneous disclosure of four critical/critical-severity CVEs across UniFi Connect, Access, and Talk suggests Ubiquiti conducted (or received) a comprehensive security audit of their UniFi OS application ecosystem. Organizations should treat this as a signal to review all UniFi OS-based deployments holistically — not just patch the four named CVEs.
Detection
| Indicator | Detection Method |
|---|---|
| Admin accounts making unusual configuration changes | Application audit logs |
| Unexpected process elevation on UniFi Access host | Host process monitoring |
| OS-level file modifications outside application directories | File integrity monitoring |
| New scheduled tasks or cron jobs on UniFi OS devices | Host configuration monitoring |
| Anomalous physical access patterns following a network event | Physical security correlation |