Ubiquiti released security updates for three maximum-severity vulnerabilities in its UniFi Operating System. These flaws affect a wide range of networking and IT infrastructure devices. Remote attackers can exploit these vulnerabilities without privileges to make unauthorized changes, access system files, or execute command injections.
The patches address Improper Access Control (CVE-2026-34908), Path Traversal (CVE-2026-34909), and Improper Input Validation (CVE-2026-34910). Ubiquiti also fixed a second critical command injection flaw. A separate high-severity information disclosure vulnerability was also addressed.
Nearly 100,000 UniFi OS endpoints currently remain exposed to the internet. Security researchers reported the flaws through the company’s bug bounty program. Ubiquiti has not disclosed whether attackers have exploited these vulnerabilities in the wild.