PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54401 Ubiquiti Inc CVE debrief

CVE-2026-54401 is a Server-Side Request Forgery (SSRF) vulnerability in UniFi OS devices or instances. An attacker with network access and low privileges could exploit this vulnerability to escalate privileges. The vulnerability has a CVSS score of 7.7 and is classified as HIGH severity. Affected product deployments should be reviewed for exposure and patched or mitigated accordingly.

Vendor
Ubiquiti Inc
Product
UniFi OS Server
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-10
Advisory published
2026-07-02
Advisory updated
2026-07-10

Who should care

Administrators and users of UniFi OS devices or instances should be aware of this vulnerability and take necessary precautions to prevent exploitation. Affected operator, platform, vulnerability-management, and security-team impact should be reviewed.

Technical summary

The vulnerability is caused by a lack of proper validation of user input, allowing an attacker to make unauthorized requests to internal resources. This could lead to privilege escalation within the UniFi OS devices or instances. The vulnerability affects UniFi OS devices or instances with network access.

Defensive priority

High

Recommended defensive actions

  • Apply the patch or update to version 5.1.16 or later
  • Restrict access to UniFi OS devices or instances to only trusted networks and users
  • Monitor for suspicious activity and implement compensating controls
  • Perform regular inventory checks to ensure all devices are up-to-date
  • Review compensating controls for exposed systems while remediation is scheduled and verified

Evidence notes

The CVE record was published on 2026-07-02T15:17:03.730Z and last modified on 2026-07-10T02:50:13.673Z. The NVD entry is currently Analyzed. The vulnerability affects UniFi OS devices or instances. Evidence is limited to CVE and NVD details. Defenders should verify affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T15:17:03.730Z and has not been modified since then. The NVD entry is currently Analyzed.