CVE-2026-34908: Critical Access Control Flaw in Ubiquiti UniFi OS

"A critical improper access control vulnerability (CVSS 10.0) in Ubiquiti UniFi OS lets a remote, unauthenticated attacker make unauthorized changes to affected devices, and CISA has added it to its Known Exploited…"

A critical improper access control vulnerability (CVSS 10.0) in Ubiquiti UniFi OS lets a remote, unauthenticated attacker make unauthorized changes to affected devices, and CISA has added it to its Known Exploited Vulnerabilities catalog.

What Is It

CVE-2026-34908 is an improper access control weakness (CWE-284) in Ubiquiti UniFi OS devices. According to NVD, "a malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system." It carries a maximum CVSS 3.1 base score of 10.0 (CRITICAL), with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, meaning it is network-exploitable, requires low complexity and no privileges or user interaction, and can fully compromise confidentiality, integrity, and availability across a scope change.

Why It Matters

CISA added CVE-2026-34908 to its Known Exploited Vulnerabilities (KEV) catalog on 2026-06-23, confirming this class of vulnerability warrants urgent attention. The combination of a perfect 10.0 score, no required privileges, and no user interaction makes it trivially exploitable by any actor who can reach the device on the network. Known ransomware campaign use is currently listed as "Unknown."

What's Vulnerable

The flaw affects a broad range of UniFi OS products below their fixed releases, including:

UniFi OS Server: versions before 5.0.8
UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDR, UDR7, UDR-5G, UDW, EFG, Express 7, UCKP: before 5.1.12
UDM-Beast: before 5.1.11
UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core: before 5.1.12
UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8: before 5.1.10

Patch Status

CISA's required action is to apply mitigations per vendor instructions in accordance with BOD 26-04 and CISA's Forensics Triage Requirements, with a due date of 2026-06-26. For cloud services, follow applicable BOD 26-04 guidance or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure. Fixes are delivered in the versions listed above; consult Ubiquiti's advisory for upgrade details.

Sources

Ubiquiti Security Advisory Bulletin 064; https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
NVD, CVE-2026-34908, https://nvd.nist.gov/vuln/detail/CVE-2026-34908
CISA Known Exploited Vulnerabilities Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34908
CISA BOD 26-04; https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk