CVE-2026-50747: A malicious actor with access to the network and low privileges could exploit a series of authenticated SQL Injection vulnerabilities found in UniFi Talk Application to escalate privileges on the host device
A malicious actor with access to the network and low privileges could exploit a series of authenticated SQL Injection vulnerabilities found in UniFi Talk Application to escalate privileges on the host device.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- 5.2.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Authenticated SQL injection vulnerabilities in the UniFi Talk Application allow a network-accessible attacker with low-privilege credentials to escalate privileges on the host device. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C) indicates the service is reachable over the network, no victim interaction is needed, and the scope change means impact extends beyond the application itself. Successful exploitation gives the attacker full read, write, and availability impact on both the application and the underlying host. A patched-image rebuild at version 5.2.2 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: CVE-2026-50747 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle UniFi Talk Application. Any image running a version below 5.2.2 will surface as affected in the HarborGuard scan results.
AvailableHarborGuard scores this finding at CVSS 9.9 Critical and weights it against each environment's compliance policy to determine urgency and routing. Triage tickets are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at UniFi Talk Application version 5.2.2 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the UniFi Talk Application service over the network; there is no requirement for local or physical access.
- AuthenticationRequired
A low-privilege account on the application is sufficient to trigger the SQL injection payloads; no admin credentials are needed.
- Victim interactionNot required
The attacker does not need any user or administrator to take an action for exploitation to succeed.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.
Blast Radius
- The attacker reads arbitrary data from the application database, including stored credentials, session tokens, and configuration records.
- The attacker modifies or deletes persisted database rows, corrupting application state or creating new privileged accounts.
- Because the CVSS scope is changed, the attacker can escalate privileges beyond the application and execute commands on the underlying host device.
- Full availability impact means the attacker can crash or render the UniFi Talk Application and host services unresponsive.
How HarborGuard Handles This
Available on HarborGuard: CVE-2026-50747 is matched against scanned images on ingestion, and a rebuild at the fixed version 5.2.2 is available for any environment where an affected image is identified. Where compliance policy permits auto-remediation, HarborGuard triggers a patched rebuild, runs regression tests, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with severity, affected image tags, and fix-version details so engineering teams can act immediately. Given the critical severity and scope-change impact, prioritizing this upgrade to 5.2.2 in any internet-accessible or multi-tenant UniFi Talk deployment is strongly warranted.
Fix available
- Ubiquiti Inc / UniFi Talk Application< 5.2.2 (from 0)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H