Improper Access Control in UniFi OS Enables Unauthorized System Changes
CVE-2026-34908 Published on May 22, 2026

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.

NVD

Known Exploited Vulnerability

This Ubiquiti UniFi OS Improper Access Control Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system.

The following remediation steps are recommended / required by June 26, 2026: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicab

Weakness Type

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2026-34908 has been classified to as an Authorization vulnerability or weakness.


Affected Versions

Ubiquiti Inc UniFi OS Server: Ubiquiti Inc UDM: Ubiquiti Inc UDM-Pro: Ubiquiti Inc UDM-SE: Ubiquiti Inc UDM-Pro-Max: Ubiquiti Inc UDM-Beast: Ubiquiti Inc EFG: Ubiquiti Inc UDW: Ubiquiti Inc UDR: Ubiquiti Inc UDR7: Ubiquiti Inc UDR-5G: Ubiquiti Inc Express 7: Ubiquiti Inc UNVR: Ubiquiti Inc UNVR-Pro: Ubiquiti Inc UNVR-Instant: Ubiquiti Inc UNVR-G2: Ubiquiti Inc UNVR-G2-Pro: Ubiquiti Inc ENVR: Ubiquiti Inc ENVR-Core: Ubiquiti Inc UNAS-2: Ubiquiti Inc UNAS-4: Ubiquiti Inc UNAS-Pro: Ubiquiti Inc UNAS-Pro-4: Ubiquiti Inc UNAS-Pro-8: Ubiquiti Inc UCKP: Ubiquiti Inc UCK: Ubiquiti Inc UCK-Enterprise: Ubiquiti Inc UCG-Ultra: Ubiquiti Inc UCG-Max: Ubiquiti Inc UCG-Fiber: Ubiquiti Inc UCG-Industrial:

Exploit Probability

EPSS
0.57%
Percentile
42.42%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.