UniFi OS Server unauthenticated root RCE chain (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
UniFi OS Server is exposed to an unauthenticated root RCE chain that combines CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, putting versions 5.0.6 and earlier at risk. Researchers validated the chain on a live 5.0.6 instance and showed that it can reach root without credentials or user interaction. The flaws were fixed in May, and defenders can confirm exposure with a free detection script before upgrading to 5.0.8 or later.
Timeline
-
08.06.2026 18:51 2 articles · 1h ago
Bishop Fox validates unauthenticated root RCE chain in UniFi OS Server
Initial DisclosureBishop Fox says CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 can be chained in Ubiquiti UniFi OS Server versions 5.0.6 and earlier to bypass authentication, reach a vulnerable package-update endpoint, and execute commands with root privileges without credentials or user interaction; the researchers also say the flaws were fixed in May, the chain no longer works on UniFi OS Server 5.0.8, and they released a free detection script and hunting guidance for requests to /api/auth/validate-sso/ and ucs/update/latest_package.
Show sources
- Critical UniFi OS bug lets hackers gain root without authentication — www.bleepingcomputer.com — 08.06.2026 18:51
- Critical UniFi OS bug lets hackers gain root without authentication — www.bleepingcomputer.com — 08.06.2026 18:51