Ubiquiti disclosed and patched two vulnerabilities in the UniFi Network Application, including CVE-2026-22557, a critical path traversal flaw with a CVSS score of 10.0 that can be exploited by an unauthenticated attacker with network access. The flaw allows access to files on the underlying system, which can then be manipulated to gain access to an underlying account and potentially seize administrative control of the host. A second issue, CVE-2026-22558, is a high-severity authenticated NoSQL injection vulnerability rated 7.7 that can allow privilege escalation by attackers who already have valid access.
Affected releases include UniFi Network Application 10.1.85 and earlier, 10.2.93 and earlier, and 9.0.114 and earlier. Ubiquiti says organizations should upgrade to 10.1.89 or later, 10.2.97 or later, or update UniFi Express firmware to 4.0.13 or later, which brings the application to 9.0.118 or later. Reporting across the sources consistently describes the first flaw as enabling account takeover or full compromise of the underlying system, while the second provides a post-authentication escalation path; one source also notes the critical bug was reported by researcher n00r3 (@izn0u), and another highlights asset discovery guidance for identifying exposed Ubiquiti UniFi Network deployments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
A high-severity path traversal vulnerability, CVE-2026-54406, was disclosed affecting self-hosted UniFi Network Application instances. The flaw can let a network-accessible attacker with high privileges escalate write permissions on the host device, and guidance recommended updating, restricting network access, and enforcing least privilege.
Following Ubiquiti's disclosure, public reporting and official advisories highlighted that CVE-2026-22557 could allow unauthenticated remote file access and possible takeover of the underlying system or account, while CVE-2026-22558 could enable privilege escalation. Administrators were urged to patch immediately and reduce exposure of internet-facing UniFi management interfaces.
Ubiquiti disclosed CVE-2026-22557, a critical/maximum-severity path traversal vulnerability, and CVE-2026-22558, a high-severity authenticated NoSQL injection flaw affecting multiple UniFi Network Application versions. The company released fixes and advised customers to upgrade to patched versions, including 10.1.89+, 10.2.97+, and UniFi Express firmware 4.0.13+ (app 9.0.118+).
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
9 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcebishopfox.com
Open sourcescworld.com
Open sourcecyberscoop.com
Open sourceccb.belgium.be
Open sourcesecurityaffairs.com
Open sourcerunzero.com
Open sourcecybersecuritynews.com
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.