CVE-2026-54408
Ubiquiti · UniFi Protect Application
Ubiquiti UniFi Protect Application contains an improper access control vulnerability, enabling unauthenticated attackers to bypass authentication for data streaming.
Executive summary
An improper access control vulnerability in the Ubiquiti UniFi Protect Application allows unauthorized parties to bypass authentication and access protected data streams.
Vulnerability
This is an improper access control vulnerability that allows an unauthenticated attacker with network access to bypass authentication checks specifically for data streaming services. This effectively permits unauthorized viewing of sensitive camera or video data managed by the application.
Business impact
This vulnerability poses a significant risk to organizational privacy and physical security by potentially exposing sensitive video surveillance data to unauthorized individuals. With a CVSS score of 8.6, this flaw constitutes a high-severity risk that requires immediate attention to prevent unauthorized surveillance and potential data privacy breaches.
Remediation
Immediate Action: Update the UniFi Protect Application to the latest version as soon as the vendor patch is released.
Proactive Monitoring: Review access logs for the UniFi Protect service to identify any anomalous streaming activity or unauthorized connections from unknown IP addresses.
Compensating Controls: Utilize a VPN or restricted access control list (ACL) to ensure that the UniFi Protect streaming service is not directly accessible from the open internet.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Due to the nature of the leaked data—which can include sensitive video footage—this vulnerability should be treated with extreme urgency. Organizations must verify their current versioning and apply updates immediately to secure their video data streams against unauthorized access.