CVE-2026-50746
Ubiquiti · UniFi Connect Application
An improper access control vulnerability in the UniFi Connect Application allows unauthenticated network attackers to execute arbitrary commands on the host device.
Executive summary
A critical improper access control vulnerability in the Ubiquiti UniFi Connect Application enables unauthenticated attackers to achieve remote command execution on the host.
Vulnerability
The application fails to properly restrict access to sensitive functions, allowing an unauthenticated attacker on the network to trigger a command injection. This results in the ability to execute arbitrary commands with the privileges of the application process.
Business impact
With a CVSS score of 10.0, this vulnerability represents the highest level of risk. An attacker can achieve complete system compromise, leading to total loss of data confidentiality and integrity, and potentially using the affected device as a pivot point for further lateral movement within the network.
Remediation
Immediate Action: Update the Ubiquiti UniFi Connect Application to the latest patched version without delay.
Proactive Monitoring: Monitor system logs for suspicious process execution, unauthorized shell commands, or anomalous network traffic originating from the UniFi Connect host.
Compensating Controls: Deploy a Web Application Firewall (WAF) or Network Intrusion Detection System (NIDS) to identify and block payloads indicative of command injection attempts.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The 10.0 CVSS score dictates an emergency response posture for this vulnerability. Organizations running UniFi Connect must treat this as a critical priority, ensuring the software is updated immediately to prevent remote code execution. Immediate patching is the only effective way to mitigate this risk.