Overview

Ubiquiti has released Security Advisory Bulletin 062 addressing two vulnerabilities impacting the UniFi Protect Application.

CVE-2026-22557 (CVSS3.1 – 10.0 Critical): A path traversal vulnerability may allow an authenticated attacker to access or manipulate arbitrary files on the underlying system. Successful exploitation could result in unauthorised access to sensitive data and potential compromise of the affected system.

CVE-2026-22558 (CVSS3.1 – 7.7 High): An authenticated NoSQL injection vulnerability may allow a malicious actor with valid access to escalate privileges within the application.

 

Affected Devices

  • Official Release: UniFi Network application (Version 10.1.85 and earlier)
  • Release Candidate: UniFi Network application (Version 10.2.93 and earlier)
  • UniFi Express (UX): UniFi Network application (Version 9.0.114 and earlier)

 

Recommended Remediations

Ubiquiti has released updates to remediate these vulnerabilities and ctrl:cyber strongly recommends upgrading affected systems to the latest versions in accordance with internal patching policies:

  • Official Release: Update UniFi Network application to Version 10.1.89 or later.
  • Release Candidate: Update UniFi Network application to Version 10.2.97 or later.
  • UniFi Express (UX): Update UniFi Express firmware to 4.0.13 or later, which updates the UniFi Network application to Version 9.0.118 or later.

Ubiquiti: Security Advisory Bulletin 062