Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.9

CVE-2026-54402: UniFi OS Command Injection Risk from Network Access

CVE-2026-54402 CVE-2026-54402
Summary

A malicious actor with network access can potentially inject commands on the UniFi OS host device, which could lead to unauthorized actions. This affects all devices running UniFi OS and poses a risk to the security and integrity of the network. To mitigate this risk, ensure your UniFi OS devices are updated with the latest security patches and follow best practices for network access and user permissions.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versions
ubiquiti inc unifi os server < 5.1.19
ubiquiti inc dream machines < 5.1.19
ubiquiti inc enterprise fortress gateway < 5.1.19
ubiquiti inc dream wall < 5.1.19
ubiquiti inc dream routers < 5.1.19
ubiquiti inc express 7 < 5.1.19
ubiquiti inc cloud keys < 5.1.19
ubiquiti inc network video recorders < 5.1.19
ubiquiti inc enterprise video recorders < 5.1.19
ubiquiti inc cloud gateways < 5.1.19
ubiquiti inc network attached storage < 5.1.19
ubiquiti inc enterprise firewall core < 5.1.19
Original title
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UniFi OS to execute a Command Injection on the host device.
Original description
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UniFi OS to execute a Command Injection on the host device.
mitre CVSS3.1 9.9
Vulnerability type
CWE-20 Improper Input Validation
Published: 2 Jul 2026 · Updated: 3 Jul 2026 · First seen: 2 Jul 2026