Skip to main content
Mallory
Back to vulnerabilities
Critical

Path Traversal in Ubiquiti UniFi OS Authentication Gateway

IdentifiersCVE-2026-34909CWE-22· Improper Limitation of a Pathname…

CVE-2026-34909 is a path traversal vulnerability affecting Ubiquiti UniFi OS devices, including UniFi OS Server. A network-accessible attacker can exploit the flaw to traverse directories and access files on the underlying operating system. Available reporting indicates the issue is in the UniFi OS authentication gateway and can expose sensitive files from the host system. Bishop Fox reported that, in practice, CVE-2026-34909 can be combined with CVE-2026-34908 to bypass authentication and reach internal protected endpoints due to differences between raw URI validation and normalized URI routing in the request handling path. The vendor and third-party reporting further state that accessed files may be manipulated or leveraged to obtain access to an underlying system account, making the flaw more than a simple file-read issue when used in an attack chain.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can expose sensitive files on the underlying operating system and may enable compromise of an underlying account. In chained exploitation, CVE-2026-34909 contributes to authentication bypass when combined with CVE-2026-34908, enabling access to vulnerable internal endpoints that can then be abused with CVE-2026-34910 for unauthenticated command execution and eventual full device compromise. Because UniFi OS often manages network infrastructure, surveillance, access control, and identity-related services, compromise can have broad downstream operational and security impact.

Mitigation

If you can’t patch tonight, do this now.

Prioritize patching and restrict exposure of UniFi OS management interfaces to trusted networks only; do not leave them publicly reachable where avoidable. Monitor for suspicious requests involving authentication-gateway paths such as /api/auth/validate-sso/ together with encoded traversal sequences like ..%2f, ..%2e, or %2e%2e, as noted in third-party research on the exploit chain. Investigate unusual access to internal endpoints and review systems for evidence of file access, account compromise, or follow-on exploitation. If compromise is suspected, rotate relevant secrets and credentials because patching alone may not remediate historic compromise.

Remediation

Patch, then assume compromise.

Upgrade affected UniFi OS products to vendor-fixed releases. For UniFi OS Server, reporting indicates the issue is fixed in version 5.0.8 or later. Ubiquiti also issued fixed versions across other affected UniFi OS device families in Security Advisory Bulletin 064; administrators should apply the vendor-recommended release for their specific platform. After patching, review systems for signs of prior compromise because patching does not invalidate secrets or persistence that may already have been obtained by an attacker.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
UbiquitiExpressoperating_system
UbiquitiUnifi Osapplication
UbiquitiUnifi Os Serveroperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app
scworldNews
Jun 8, 2026
Ubiquiti UniFi OS server vulnerabilities allow unauthenticated remote code execution | brief | SC Media

A path traversal vulnerability in Ubiquiti UniFi OS Server that can be chained with CVE-2026-34908 and CVE-2026-34910 to achieve unauthenticated remote code execution with root privileges.

Read more
bleeping computerNews
Jun 8, 2026
Critical UniFi OS bug lets hackers gain root without authentication

A path traversal vulnerability in Ubiquiti UniFi OS Server that helps enable authentication bypass as part of a chained unauthenticated root RCE attack.

Read more
bishop fox technology blogNews
Jun 5, 2026
Popping Root on UniFi OS Server: Unauthenticated RCE… | Bishop Fox

A path traversal flaw in the UniFi OS authentication gateway caused by divergence between raw and normalized URI handling, enabling authentication bypass when chained with related flaws.

Read more
scworldNews
May 22, 2026
Ubiquiti patches three critical vulnerabilities in UniFi OS | brief | SC Media

A maximum severity UniFi OS path traversal vulnerability that allows remote attackers without privileges to access underlying system files.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity13

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-34909
NVD
nvd.nist.gov/vuln/detail/CVE-2026-34909
MITRE CWE · CWE-22
Improper Limitation of a Pathname to a…
community.ui.com
community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b