Skip to main content
Mallory
Back to vulnerabilities
Critical

Improper Access Control in Ubiquiti UniFi OS Authentication Gateway

IdentifiersCVE-2026-34908CWE-284· Improper Access Control

CVE-2026-34908 is a critical improper access control vulnerability in UniFi OS devices, including UniFi OS Server, and is described as affecting the authentication gateway. The flaw allows a malicious actor with network access to make unauthorized changes to the target system without authentication. Supporting reporting indicates the weakness is tied to request handling in the authentication path, where access control can be bypassed due to differences between raw URI validation and normalized URI routing. On its own, the issue enables unauthorized modification of vulnerable systems; in published research it was also shown to be chainable with CVE-2026-34909 and CVE-2026-34910 to reach unauthenticated remote code execution and eventual root compromise on UniFi OS Server 5.0.6 and earlier.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated network attacker to bypass intended access restrictions and make unauthorized changes to the UniFi OS system. The vendor and third-party reporting characterize the impact as potentially leading to full device compromise. In demonstrated exploit chains, CVE-2026-34908 serves as the initial access-control bypass that, when combined with the related path traversal and command injection flaws, enables unauthenticated command execution and subsequent root-level compromise. Given UniFi OS's role as a management plane, compromise can expose or affect managed infrastructure and sensitive administrative data.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network exposure of UniFi OS management interfaces, especially from untrusted networks and the public Internet. Monitor for suspicious requests involving the /api/auth/validate-sso/ prefix and encoded traversal patterns noted in public research, and investigate unexpected access to internal proxy routes or unauthorized configuration changes. Increase logging and review for signs of compromise, but note that unauthenticated exploitation may leave limited authentication artifacts. If compromise is suspected, rotate sensitive secrets and administrative tokens after remediation.

Remediation

Patch, then assume compromise.

Upgrade affected UniFi OS products to vendor-fixed releases. For UniFi OS Server, reporting states the issue is fixed in version 5.0.8 and later; broader UniFi OS device families should be updated to the vendor versions listed in Ubiquiti Security Advisory Bulletin 064 for the relevant product line. Ubiquiti's fixes reportedly include URI-normalization checks in Nginx and related hardening in affected request-handling paths. Because this vulnerability may have been used as part of a full compromise chain, patching should be accompanied by incident review and credential/secret rotation where compromise is suspected.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
UbiquitiUnifi Osapplication
UbiquitiUnifi Os Serveroperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app
scworldNews
Jun 8, 2026
Ubiquiti UniFi OS server vulnerabilities allow unauthenticated remote code execution | brief | SC Media

An improper access control vulnerability in Ubiquiti UniFi OS Server that can be chained with CVE-2026-34909 and CVE-2026-34910 to achieve unauthenticated remote code execution with root privileges.

Read more
bleeping computerNews
Jun 8, 2026
Critical UniFi OS bug lets hackers gain root without authentication

An improper access control vulnerability in Ubiquiti UniFi OS Server that is part of an unauthenticated exploit chain leading to remote code execution with root privileges.

Read more
bishop fox technology blogNews
Jun 5, 2026
Popping Root on UniFi OS Server: Unauthenticated RCE… | Bishop Fox

An improper access control flaw in the UniFi OS authentication gateway that can be chained with URI normalization/path traversal behavior and command injection to achieve unauthenticated remote code execution.

Read more
scworldNews
May 22, 2026
Ubiquiti patches three critical vulnerabilities in UniFi OS | brief | SC Media

A maximum severity UniFi OS vulnerability that allows unauthorized system changes by remote attackers without privileges.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-34908
NVD
nvd.nist.gov/vuln/detail/CVE-2026-34908
MITRE CWE · CWE-284
Improper Access Control
community.ui.com
community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b