CVE-2026-34909

Deferred
Published: 22 May 2026, 00:43
Last modified:24 Jun 2026, 03:56

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
10 CRITICAL
v3.1 (cve.org)
EPSS Score
1.82% LOW
2% probability +0.93%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

22 May 2026, 00:43
Published
Vulnerability first disclosed
23 Jun 2026, 00:00
Added to CISA KEV
Ubiquiti UniFi OS Path Traversal Vulnerability
24 Jun 2026, 03:56
Last Modified
Vulnerability information updated
26 Jun 2026, 00:00
CISA Remediation Due
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Description

A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.

CVSS Metrics

  • v3.1CRITICALScore: 10CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 1.82% Percentile: 76%

Techniques & Countermeasures

  • CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

  • ubiquiti incefg

    < 5.1.12

  • ubiquiti incenvr

    < 5.1.12

  • ubiquiti incenvr-core

    < 5.1.12

  • ubiquiti incexpress

    < 4.0.14

  • ubiquiti incexpress 7

    < 5.1.12

  • ubiquiti incucg-fiber

    < 5.1.12

  • ubiquiti incucg-industrial

    < 5.1.12

  • ubiquiti incucg-max

    < 5.1.12

  • ubiquiti incucg-ultra

    < 5.1.12

  • ubiquiti incuck

    < 5.1.12

  • ubiquiti incuck-enterprise

    < 5.1.12

  • ubiquiti incuckp

    < 5.1.12

  • ubiquiti incudm

    < 5.1.12

  • ubiquiti incudm-beast

    < 5.1.11

  • ubiquiti incudm-pro

    < 5.1.12

  • ubiquiti incudm-pro-max

    < 5.1.12

  • ubiquiti incudm-se

    < 5.1.12

  • ubiquiti incudr

    < 5.1.12

  • ubiquiti incudr-5g

    < 5.1.12

  • ubiquiti incudr7

    < 5.1.12

  • ubiquiti incudw

    < 5.1.12

  • ubiquiti incunas-2

    < 5.1.10

  • ubiquiti incunas-4

    < 5.1.10

  • ubiquiti incunas-pro

    < 5.1.10

  • ubiquiti incunas-pro-4

    < 5.1.10

  • ubiquiti incunas-pro-8

    < 5.1.10

  • ubiquiti incunifi os server

    < 5.0.8

  • ubiquiti incunvr

    < 5.1.12

  • ubiquiti incunvr-g2

    < 5.1.12

  • ubiquiti incunvr-g2-pro

    < 5.1.12

  • ubiquiti incunvr-instant

    < 5.1.12

  • ubiquiti incunvr-pro

    < 5.1.12

References (3)