CVE-2026-54408

Ubiquiti · UniFi Protect Application

Ubiquiti UniFi Protect Application contains an improper access control vulnerability, enabling unauthenticated attackers to bypass authentication for data streaming.

Executive summary

An improper access control vulnerability in the Ubiquiti UniFi Protect Application allows unauthorized parties to bypass authentication and access protected data streams.

Vulnerability

This is an improper access control vulnerability that allows an unauthenticated attacker with network access to bypass authentication checks specifically for data streaming services. This effectively permits unauthorized viewing of sensitive camera or video data managed by the application.

Business impact

This vulnerability poses a significant risk to organizational privacy and physical security by potentially exposing sensitive video surveillance data to unauthorized individuals. With a CVSS score of 8.6, this flaw constitutes a high-severity risk that requires immediate attention to prevent unauthorized surveillance and potential data privacy breaches.

Remediation

Immediate Action: Update the UniFi Protect Application to the latest version as soon as the vendor patch is released.

Proactive Monitoring: Review access logs for the UniFi Protect service to identify any anomalous streaming activity or unauthorized connections from unknown IP addresses.

Compensating Controls: Utilize a VPN or restricted access control list (ACL) to ensure that the UniFi Protect streaming service is not directly accessible from the open internet.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Due to the nature of the leaked data—which can include sensitive video footage—this vulnerability should be treated with extreme urgency. Organizations must verify their current versioning and apply updates immediately to secure their video data streams against unauthorized access.