CVE-2026-54403
Ubiquiti · UniFi OS Server
A path traversal vulnerability in Ubiquiti UniFi OS Server allows network-adjacent attackers to bypass authentication mechanisms and gain unauthorized access to device instances.
Executive summary
A path traversal vulnerability in Ubiquiti UniFi OS Server enables attackers to bypass authentication and gain unauthorized access to affected devices.
Vulnerability
This is a path traversal vulnerability that permits an unauthenticated attacker with network access to traverse directory structures. By manipulating file paths, an attacker can bypass authentication controls and interact with internal UniFi OS components.
Business impact
Successful exploitation allows unauthorized actors to bypass security controls, potentially leading to complete control over the UniFi OS management environment. The 8.6 CVSS score underscores the high risk of this vulnerability, which could result in unauthorized data access or the modification of network configuration settings.
Remediation
Immediate Action: Apply the latest firmware or software updates provided by Ubiquiti as soon as they are made available.
Proactive Monitoring: Monitor network traffic for unusual GET/POST requests containing directory traversal sequences (e.g., "../") directed at UniFi OS management endpoints.
Compensating Controls: Restrict access to the UniFi management interface to a dedicated management VLAN and ensure it is not reachable from untrusted or public-facing networks.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The authentication bypass capability of this vulnerability makes it a high-priority target for malicious actors. Security teams should ensure that all UniFi OS deployments are updated immediately and that management interfaces are restricted to authorized personnel.