HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50747Published Modified CNA hackerone

CVE-2026-50747: A malicious actor with access to the network and low privileges could exploit a series of authenticated SQL Injection vulnerabilities found in UniFi Talk Application to escalate privileges on the host device

A malicious actor with access to the network and low privileges could exploit a series of authenticated SQL Injection vulnerabilities found in UniFi Talk Application to escalate privileges on the host device.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
5.2.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authenticated SQL injection vulnerabilities in the UniFi Talk Application allow a network-accessible attacker with low-privilege credentials to escalate privileges on the host device. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C) indicates the service is reachable over the network, no victim interaction is needed, and the scope change means impact extends beyond the application itself. Successful exploitation gives the attacker full read, write, and availability impact on both the application and the underlying host. A patched-image rebuild at version 5.2.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-50747 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle UniFi Talk Application. Any image running a version below 5.2.2 will surface as affected in the HarborGuard scan results.

Available
Triage

HarborGuard scores this finding at CVSS 9.9 Critical and weights it against each environment's compliance policy to determine urgency and routing. Triage tickets are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at UniFi Talk Application version 5.2.2 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the UniFi Talk Application service over the network; there is no requirement for local or physical access.

  • AuthenticationRequired

    A low-privilege account on the application is sufficient to trigger the SQL injection payloads; no admin credentials are needed.

  • Victim interactionNot required

    The attacker does not need any user or administrator to take an action for exploitation to succeed.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

Blast Radius

  • The attacker reads arbitrary data from the application database, including stored credentials, session tokens, and configuration records.
  • The attacker modifies or deletes persisted database rows, corrupting application state or creating new privileged accounts.
  • Because the CVSS scope is changed, the attacker can escalate privileges beyond the application and execute commands on the underlying host device.
  • Full availability impact means the attacker can crash or render the UniFi Talk Application and host services unresponsive.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-50747 is matched against scanned images on ingestion, and a rebuild at the fixed version 5.2.2 is available for any environment where an affected image is identified. Where compliance policy permits auto-remediation, HarborGuard triggers a patched rebuild, runs regression tests, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with severity, affected image tags, and fix-version details so engineering teams can act immediately. Given the critical severity and scope-change impact, prioritizing this upgrade to 5.2.2 in any internet-accessible or multi-tenant UniFi Talk deployment is strongly warranted.

See how HarborGuard automates this

Fix available

5.2.2
Affected packages
  • Ubiquiti Inc / UniFi Talk Application
    < 5.2.2 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H