Improper Access Control in UniFi OS Devices by Ubiquiti
CVE-2026-34908
Key Information:
- Vendor
Ubiquiti Inc
- Vendor
- CVE Published:
- 22 May 2026
Badges
What is CVE-2026-34908?
A vulnerability exists in Ubiquiti's UniFi OS devices, where improper access controls allow a malicious actor with network access to exploit this weakness, leading to unauthorized modifications to the system. This issue raises significant concerns regarding the security and integrity of affected devices, necessitating immediate attention from users.
CISA has reported CVE-2026-34908
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-34908 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Affected Version(s)
EFG 0 < 5.1.12
ENVR 0 < 5.1.12
ENVR-Core 0 < 5.1.12
News Articles
References
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 👾
Exploit known to exist
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved