On March 18, 2026, Ubiquiti published Security Advisory Bulletin 062 disclosing CVE-2026-22557, a maximum-severity path traversal vulnerability in the UniFi Network Application. Security researcher n00r3 (@izn0u) discovered and reported the flaw.
The Vulnerability
CVE-2026-22557 carries a CVSS 10.0 score — the maximum possible rating. According to CyCognito's analysis and FirstPassLab's technical assessment:
- Attack vector: Network (remotely exploitable)
- Authentication required: None
- User interaction: None
- Scope: Changed (impact extends beyond the vulnerable component)
An unauthenticated attacker with network access can exploit the path traversal (CWE-22) to access files on the underlying operating system, manipulate database configurations, credential stores, and access tokens — achieving full administrative account takeover.
Companion Vulnerability
CVE-2026-22558 is a NoSQL injection flaw (CVSS 7.7) in the same application, confirmed by SentinelOne. It requires low-level authenticated access but enables privilege escalation. The two vulnerabilities chain: CVE-2026-22557 provides initial unauthenticated access, and CVE-2026-22558 escalates to full administrative control.
Because UniFi Network Application manages network infrastructure — access points, switches, and gateways — controller compromise translates to control over the entire network environment.
Patched Versions
- UniFi Network Application: 10.1.89 and later
- UniFi Express: 4.0.13 and later
Context
This is the third maximum-severity vulnerability disclosed in Ubiquiti UniFi products within 12 months, highlighting a persistent pattern of critical security issues in the management plane of widely deployed network infrastructure. Organisations running UniFi should treat the management interface as a high-value target and restrict network access to it (ISO 27001 Annex A control 8.20 — network security). No confirmed active exploitation has been reported as of late March 2026, but exploitation is assessed as trivial given the low attack complexity.