PatchSiren cyber security CVE debrief
CVE-2026-34909 Ubiquiti Inc CVE debrief
Published on 2026-05-22, CVE-2026-34909 is a critical path traversal vulnerability in UniFi OS devices. A network-accessible attacker could access files on the underlying system and, according to the CVE description, potentially manipulate that access to reach an underlying account. NVD rates the issue CVSS 3.1 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps it to CWE-22.
- Vendor
- Ubiquiti Inc
- Product
- UniFi OS Server
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-22
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-22
Who should care
Administrators and security teams responsible for UniFi OS devices should prioritize this issue, especially where management services are reachable from untrusted or broad networks. Because the record indicates remote attack conditions with no privileges and no user interaction, exposed deployments should be treated as urgent patch candidates.
Technical summary
The supplied CVE description identifies a path traversal flaw in UniFi OS devices. NVD’s metadata classifies it as CWE-22 and gives a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating network reachability, no required privileges, no user interaction, and high potential impact. The described impact is access to files on the underlying system, with possible follow-on access to an underlying account.
Defensive priority
Immediate. The combination of CVSS 10.0, remote reachability, no privileges, no user interaction, and high impact across confidentiality, integrity, and availability makes this a top-priority remediation item.
Recommended defensive actions
- Review the linked vendor advisory and apply the first fixed UniFi OS release or any vendor-provided mitigation guidance.
- Restrict access to UniFi OS management and administration interfaces to trusted networks only; remove unnecessary external exposure.
- Check for unusual administrative activity, unexpected file access, or configuration changes on affected devices.
- If patching must be delayed, reduce exposure as much as possible and monitor closely until remediation is complete.
- Confirm backups and recovery procedures before making changes so devices can be restored if remediation requires disruptive updates.
Evidence notes
This debrief is based only on the supplied CVE description, the NVD metadata, and the linked advisory reference. The evidence explicitly supports a path traversal issue in UniFi OS devices, a CWE-22 mapping, and a CVSS 3.1 score of 10.0 with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The supplied vendor field is low-confidence and marked for review, so this summary avoids asserting a broader vendor identity beyond the explicit UniFi OS wording in the CVE description.
Official resources
-
CVE-2026-34909 CVE record
CVE.org
-
CVE-2026-34909 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE published and modified at 2026-05-22T02:16:34.390Z. The supplied source timeline matches that timestamp, and no KEV entry was provided in the corpus.