Skip to content

Ubiquiti UniFi Connect CVE-2026-50746 (10.0): SAB-066 lands 25 flaws

Ubiquiti's SAB-066 patches 25 UniFi flaws led by CVE-2026-50746 — an unauthenticated command injection in Connect ≤3.4.16 (CVSS 10.0). Fix ships in Connect 3.4.20.

Published 5 min read

Ubiquiti published Security Advisory Bulletin 066 on July 8, 2026, disclosing 25 vulnerabilities across the UniFi ecosystem — Connect, Talk, Access, Protect, Network Application, Protect Floodlight, and UniFi OS. Four rate critical. The lead item, CVE-2026-50746, scores CVSS 10.0: an improper-access-control flaw in UniFi Connect Application ≤3.4.16 that lets a network-adjacent, unauthenticated attacker execute arbitrary commands on the host. Fix ships in UniFi Connect 3.4.20.

Ubiquiti states there is no evidence of in-the-wild exploitation for any of the 25 flaws. That is the calm before the patch-diff window closes.

The critical set

Four vulnerabilities in SAB-066 sit at or above CVSS 9.9. Per Ubiquiti's bulletin and secondary tracking at BleepingComputer and Security Affairs:

  • CVE-2026-50746 — CVSS 10.0. UniFi Connect Application ≤3.4.16. Improper access control → unauthenticated command injection on the host. Network-adjacent, no privileges, no user interaction. Fix: Connect 3.4.20.
  • CVE-2026-50747 — CVSS 9.9. UniFi Talk ≤5.1.2. Authenticated SQL injection reachable from a low-privileged network user; the payload lets that user escalate privileges on the host. Fix: Talk 5.2.2.
  • CVE-2026-50748 — CVSS 9.9. UniFi Access. Command injection exploitable by a low-privileged network user. Fix: Access 4.2.29.
  • CVE-2026-55115 — CVSS 9.9. UniFi Protect Application ≤7.1.77. Server-side request forgery reachable from a low-privileged network user, escalating to privilege gain on the host. Fix: Protect 7.1.83.

The rest of SAB-066 — 21 further items — spans command injection, path traversal, DoS, and information-disclosure bugs at moderate-to-high severity. Ubiquiti credits Abdulaziz Almadhi (Catchify Security) on six of the entries across Access, Talk, and Protect; Brandon Rossi on four across Protect and Access; Duc Anh Nguyen and Garett Kopcha on two each covering Connect, Talk, and Network Application. See the Ubiquiti bulletin for the full CVE list and per-item credit.

Patched versions to run

From Ubiquiti's bulletin:

  • UniFi Connect3.4.20 or later
  • UniFi Talk5.2.2 or later
  • UniFi Access4.2.29 or later
  • UniFi Protect Application7.1.83 or later
  • UniFi Protect Floodlight1.13.6 or later
  • UniFi Network Application10.4.57 or later
  • UniFi OS5.1.19 or later (on affected UDM, UNVR, and UNAS devices)

Cloud-managed instances receive the update on Ubiquiti's schedule; self-hosted UniFi Network / Protect controllers and UDM appliances have to be patched by the operator.

Exploitation status

  • Not in CISA KEV as of publication. Check the Known Exploited Vulnerabilities catalog directly if you are tracking a federal or KEV-mirroring deadline.
  • No named in-the-wild campaign at time of writing. Ubiquiti's bulletin states so explicitly.
  • CVE-2026-50746's vector is network-adjacent, meaning the attacker needs to reach the UniFi Connect Application's management surface. That is normally the LAN — but any operator who has exposed Connect over WAN via port forward, misconfigured reverse proxy, or a flat management VLAN shared with a compromised host is one packet from RCE.

Action checklist

  1. Update UniFi Connect to 3.4.20 today. The CVSS-10.0 primitive on that surface is unauthenticated; every hour it runs on 3.4.16 or earlier is a hour of exposure to any device on the same broadcast domain.
  2. Upgrade Talk, Access, Protect, Network Application, Protect Floodlight, and UniFi OS to the versions above in the same maintenance window. The three 9.9-rated flaws require authenticated low-privileged access, which describes any tenant or camera-viewer account on a Protect/Talk deployment.
  3. Audit which UniFi surfaces answer on the WAN. Port-forwards to the controller, the Protect app, or the Connect app should be pulled and replaced with WireGuard or Ubiquiti Site-to-Site VPN. If you cannot pull them today, restrict the source IPs at the edge firewall until the patch is deployed.
  4. Rotate low-privileged UniFi account credentials on Talk, Access, and Protect after the update. The 9.9-rated flaws were exploitable from that role until yesterday; a stolen credential that was harmless on 5.1.2 is admin-equivalent on 5.1.2.
  5. Watch the KEV feed for these CVE IDs. CISA has been fast to add UniFi bugs when exploitation surfaces; the first named campaign against a home-network vendor with this footprint moves quickly.

Context

SAB-066 is the second Ubiquiti bulletin in a fortnight — SAB-064 shipped in late June — and it is the first UniFi bulletin of 2026 to land a CVSS-10.0 item. The pattern that keeps recurring across UniFi advisories this year is the management-plane / control-plane collapse: Connect, Talk, Access, and Protect each expose a rich API surface intended for LAN, but Ubiquiti's default installation path optimises for one-tap deployment on a home or small-business network, and it is that flat topology that turns a bug in any one of the applications into RCE on the appliance that also carries the site's DNS, routing, and camera storage. The take-away for security teams running UniFi at scale is the same take-away as last quarter: segment management from user traffic aggressively, and treat every new UniFi bulletin as an appliance-firmware advisory even when the CVE is described as an application-layer issue.

Related stories