Ubiquiti UniFi Connect CVE-2026-50746 (10.0): SAB-066 lands 25 flaws
Ubiquiti's SAB-066 patches 25 UniFi flaws led by CVE-2026-50746 — an unauthenticated command injection in Connect ≤3.4.16 (CVSS 10.0). Fix ships in Connect 3.4.20.
Ubiquiti published Security Advisory Bulletin 066 on July 8, 2026, disclosing 25 vulnerabilities across the UniFi ecosystem — Connect, Talk, Access, Protect, Network Application, Protect Floodlight, and UniFi OS. Four rate critical. The lead item, CVE-2026-50746, scores CVSS 10.0: an improper-access-control flaw in UniFi Connect Application ≤3.4.16 that lets a network-adjacent, unauthenticated attacker execute arbitrary commands on the host. Fix ships in UniFi Connect 3.4.20.
Ubiquiti states there is no evidence of in-the-wild exploitation for any of the 25 flaws. That is the calm before the patch-diff window closes.
The critical set
Four vulnerabilities in SAB-066 sit at or above CVSS 9.9. Per Ubiquiti's bulletin and secondary tracking at BleepingComputer and Security Affairs:
- CVE-2026-50746 — CVSS 10.0. UniFi Connect Application ≤3.4.16. Improper access control → unauthenticated command injection on the host. Network-adjacent, no privileges, no user interaction. Fix: Connect 3.4.20.
- CVE-2026-50747 — CVSS 9.9. UniFi Talk ≤5.1.2. Authenticated SQL injection reachable from a low-privileged network user; the payload lets that user escalate privileges on the host. Fix: Talk 5.2.2.
- CVE-2026-50748 — CVSS 9.9. UniFi Access. Command injection exploitable by a low-privileged network user. Fix: Access 4.2.29.
- CVE-2026-55115 — CVSS 9.9. UniFi Protect Application ≤7.1.77. Server-side request forgery reachable from a low-privileged network user, escalating to privilege gain on the host. Fix: Protect 7.1.83.
The rest of SAB-066 — 21 further items — spans command injection, path traversal, DoS, and information-disclosure bugs at moderate-to-high severity. Ubiquiti credits Abdulaziz Almadhi (Catchify Security) on six of the entries across Access, Talk, and Protect; Brandon Rossi on four across Protect and Access; Duc Anh Nguyen and Garett Kopcha on two each covering Connect, Talk, and Network Application. See the Ubiquiti bulletin for the full CVE list and per-item credit.
Patched versions to run
From Ubiquiti's bulletin:
- UniFi Connect → 3.4.20 or later
- UniFi Talk → 5.2.2 or later
- UniFi Access → 4.2.29 or later
- UniFi Protect Application → 7.1.83 or later
- UniFi Protect Floodlight → 1.13.6 or later
- UniFi Network Application → 10.4.57 or later
- UniFi OS → 5.1.19 or later (on affected UDM, UNVR, and UNAS devices)
Cloud-managed instances receive the update on Ubiquiti's schedule; self-hosted UniFi Network / Protect controllers and UDM appliances have to be patched by the operator.
Exploitation status
- Not in CISA KEV as of publication. Check the Known Exploited Vulnerabilities catalog directly if you are tracking a federal or KEV-mirroring deadline.
- No named in-the-wild campaign at time of writing. Ubiquiti's bulletin states so explicitly.
- CVE-2026-50746's vector is network-adjacent, meaning the attacker needs to reach the UniFi Connect Application's management surface. That is normally the LAN — but any operator who has exposed Connect over WAN via port forward, misconfigured reverse proxy, or a flat management VLAN shared with a compromised host is one packet from RCE.
Action checklist
- Update UniFi Connect to 3.4.20 today. The CVSS-10.0 primitive on that surface is unauthenticated; every hour it runs on 3.4.16 or earlier is a hour of exposure to any device on the same broadcast domain.
- Upgrade Talk, Access, Protect, Network Application, Protect Floodlight, and UniFi OS to the versions above in the same maintenance window. The three 9.9-rated flaws require authenticated low-privileged access, which describes any tenant or camera-viewer account on a Protect/Talk deployment.
- Audit which UniFi surfaces answer on the WAN. Port-forwards to the controller, the Protect app, or the Connect app should be pulled and replaced with WireGuard or Ubiquiti Site-to-Site VPN. If you cannot pull them today, restrict the source IPs at the edge firewall until the patch is deployed.
- Rotate low-privileged UniFi account credentials on Talk, Access, and Protect after the update. The 9.9-rated flaws were exploitable from that role until yesterday; a stolen credential that was harmless on 5.1.2 is admin-equivalent on 5.1.2.
- Watch the KEV feed for these CVE IDs. CISA has been fast to add UniFi bugs when exploitation surfaces; the first named campaign against a home-network vendor with this footprint moves quickly.
Context
SAB-066 is the second Ubiquiti bulletin in a fortnight — SAB-064 shipped in late June — and it is the first UniFi bulletin of 2026 to land a CVSS-10.0 item. The pattern that keeps recurring across UniFi advisories this year is the management-plane / control-plane collapse: Connect, Talk, Access, and Protect each expose a rich API surface intended for LAN, but Ubiquiti's default installation path optimises for one-tap deployment on a home or small-business network, and it is that flat topology that turns a bug in any one of the applications into RCE on the appliance that also carries the site's DNS, routing, and camera storage. The take-away for security teams running UniFi at scale is the same take-away as last quarter: segment management from user traffic aggressively, and treat every new UniFi bulletin as an appliance-firmware advisory even when the CVE is described as an application-layer issue.