Ubiquiti UniFi OS Path Traversal Vulnerability.
Release Date: 223rd June 2026
Impact : HIGH / CRITICAL
TLP Rating: Clear 
The Department of Communication and Digital Transformation (DCDT) through CERT Vanuatu (CERTVU), provides the following advisory.
This alert is relevant to Organizations and System/Network administrators that utilize the above products. This alert is intended to be understood by technical users and systems administrators.
What is it?
CVE-2026-34910 is a critical Command Injection vulnerability affecting Ubiquiti UniFi OS devices. The vulnerability results from improper input validation, allowing a malicious actor with network access to inject and execute arbitrary operating system commands on vulnerable devices.
What are the systems affected?
The vulnerability affects multiple Ubiquiti UniFi OS products, including:
The vulnerability affects multiple UniFi OS products, including:
- UniFi OS Server
- UDM (UniFi Dream Machine)
- UDM-Pro
- UDM-SE
- UDM-Pro-Max
- UDM-Beast
- UDR
- UDR7
- UDR-5G
- UDW
- EFG
- Express 7
- UNVR
- UNVR-Pro
- UNVR-Instant
- ENVR
- UCG-Ultra
- UCG-Max
- UCG-Fiber
- UCG-Industrial
- UCK / UCKP / UCK-Enterprise
- UNVR-G2 / UNVR-G2-Pro
- UNAS product family
What does this mean?
Typical Attack Process
Step 1 – Identify Target Devices
Attackers scan internal or Internet-accessible networks for UniFi OS management interfaces.
Step 2 – Send Crafted Requests
The attacker submits specially crafted input to vulnerable application functions.
Because the application does not properly validate user-supplied input, malicious commands are incorporated into system-level command execution.
Step 3 – Execute Arbitrary Commands
The injected commands execute with the privileges of the affected service, allowing attackers to:
- Execute operating system commands
- Create administrator accounts
- Download and execute malware
- Modify firewall and routing configurations
- Disable security controls
- Establish persistent access
Mitigation process
CERTVU recommends the following:
1. Update UniFi OS Immediately (Critical)
Apply the latest firmware versions released by Ubiquiti.
According to Security Advisory Bulletin 064, organizations should update affected devices to the latest patched releases, including:
- UniFi OS Server 5.0.8 or later
- UniFi OS 5.1.12 or later for most supported devices
- UDM-Beast 5.1.11 or later
- UNAS family 5.1.10 or later
or any newer security release provided by Ubiquiti.
2. Restrict Management Interface Exposure
- Do not expose UniFi management interfaces directly to the Internet.
- Restrict access through:
- Dedicated management VLANs
- VPN connections
- IP allowlists
- Bastion hosts
References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- https://www.cve.org/CVERecord?id=CVE-2026-34910
- Download advisory (English): Ubiquiti UniFi OS Improper Input Validation Vulnerability.