Ubiquiti has disclosed a maximum-severity flaw, CVE-2026-50746, that scores a perfect 10.0 and lets an unauthenticated attacker with network access run operating-system commands on the host running its UniFi Connect application. With roughly 100,000 UniFi OS endpoints reachable from the public internet, this is one of the broadest critical patch windows of 2026, and the fix, updating UniFi Connect to 3.4.20 or later, should not wait for a maintenance window.

  • No login required. The CVSS vector is AV:N/AC:L/PR:N/UI:N: network-reachable, low complexity, no privileges, no user interaction. If an attacker can reach the interface, they can run commands.
  • The root cause is broken access control. Classified CWE-284, the command-execution path is reachable without passing any authentication gate, so anyone with a network path gets full control of the host.
  • It is part of a 25-flaw bulletin. Advisory SAB-066 (July 2, 2026) also patched critical bugs in UniFi Talk, Access, Protect, and UniFi OS itself, several scoring 9.9.
  • There are no workarounds. Ubiquiti lists patching as the only mitigation; UniFi Connect 3.4.16 and earlier are vulnerable.
How CVE-2026-50746 turns network access into host control An attacker with a network path reaches the UniFi Connect command path, which lacks an authentication gate, and executes operating-system commands directly on the host, gaining full control. UNAUTHENTICATED COMMAND INJECTION Attackernetwork access request UniFi Connect no auth gate command path exposed inject OS commands runfull host control CVSS 10.0  ·  AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Fix: update UniFi Connect to 3.4.20 or later. No workaround exists. genztech.blog
Fig 1 The whole attack: reach the interface, hit an unguarded command path, and the host runs whatever you send.

What exactly is vulnerable?

The flaw lives in the UniFi Connect application, versions 3.4.16 and earlier, the management software that Ubiquiti customers use to run commercial-building systems like smart lighting and EV chargers from one interface. The bug is an improper-access-control issue: the code path that executes commands can be reached without going through authentication. That means an attacker who can send network traffic to the application, whether by breaching a perimeter or simply finding an internet-exposed management interface, can inject arbitrary operating-system commands and gain control of the underlying host. The perfect 10.0 score reflects that there is nothing standing in the way, no login, no special privileges, no tricking a user into clicking anything.

RelatedGitea Docker flaw CVE-2026-20896 hands over admin access

How dangerous is a 10.0 in practice?

A CVSS 10.0 is as bad as the scale goes, and this one earns it on every axis. The vector, AV:N/AC:L/PR:N/UI:N with a scope change and high impact to confidentiality, integrity, and availability, describes the worst realistic case: remotely reachable, trivially exploitable, and total. The scope-change flag matters too, it means the compromise can reach beyond the vulnerable component into the wider host. Ubiquiti has not confirmed in-the-wild exploitation of this specific CVE yet, but the precedent is uncomfortable: in June, CISA added a separate UniFi OS chain (CVE-2026-34908, -34909, -34910) to its Known Exploited Vulnerabilities catalog after real attacks, and Bishop Fox showed those could be chained to remote code execution with elevated privileges. Attackers watch these bulletins.

Who is exposed, and how much?

The scale is the story. Threat-intelligence firm Censys counted roughly 100,000 UniFi OS endpoints reachable from the public internet, which is the pool of easy targets before you even count devices exposed accidentally behind a misconfigured firewall. UniFi gear is everywhere Ubiquiti made its name, prosumer setups, small and mid-sized businesses, offices, and increasingly commercial buildings where UniFi Connect ties into physical systems. That last part is what makes this more than a networking bug: a compromised host managing lighting, access control, or EV charging is a bridge from the network into the physical world. Anyone running UDM, UNVR, or UNAS hardware should treat this as an emergency, not a scheduled update.

CVE (SAB-066)CVE-2026-50746CVE-2026-54402CVE-2026-55115
ProductUniFi ConnectUniFi OSUniFi Protect
TypeCommand injectionCommand injectionSSRF
CVSS10.09.99.9
Auth neededNoneNoneLow privilege
Fixed in3.4.20UniFi OS 5.1.19Protect 7.1.83

What should you do right now?

Patch first, investigate second. Update UniFi Connect to 3.4.20 or later, then work through the rest of SAB-066: UniFi OS to 5.1.19, Talk to 5.2.2, Access to 4.2.29, and Protect to 7.1.83. Because there is no workaround, patching is the mitigation, so anything you cannot immediately update should be pulled off the public internet and put behind a hardened management network. After patching, hunt for signs you were already hit: unexpected administrator accounts, new API tokens, unknown remote-access settings, unexplained device-adoption changes, and any scripts or commands that do not belong. Restrict management-plane access as a standing policy, because the lesson of this bulletin is that exposing a UniFi management interface to the internet turns a patch delay into a full compromise.

RelatedGhostLock: a 15-year Linux bug hands attackers root

What to watch · 2026
  • A KEV listing. Given the June UniFi chain that CISA added after real attacks, watch for CVE-2026-50746 landing in the KEV catalog if exploitation is confirmed.
  • Public exploit code. A 10.0 with a simple, unauthenticated vector is exactly the kind of bug that gets a proof-of-concept fast; that is the clock on unpatched devices.
  • Internet exposure trend. Watch whether that ~100,000 exposed-endpoint count drops as admins patch and pull interfaces offline, or stubbornly stays flat.

Our take

The severity here is not the interesting part, plenty of 10.0s get patched quietly. The interesting part is the exposure: a hundred thousand internet-reachable management endpoints for gear that increasingly controls physical building systems, guarded by a command path that forgot to check who was asking. That combination, trivial exploitability plus a large exposed fleet plus a bridge into the physical world, is what separates a routine critical from a genuinely dangerous one. Ubiquiti did the right thing shipping fixes across the whole ecosystem at once, but there are no workarounds, which means the only thing standing between this flaw and a wave of compromised gateways is how fast administrators actually apply the update. History says a meaningful fraction will not, and those are the ones an attacker with a scanner and this bulletin will find first.

Primary sources

Original analysis by GenZTech. Advisory: Ubiquiti SAB-066.