HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-54402Published Modified CNA hackerone

CVE-2026-54402: A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UniFi OS to execute a Command Injection on the host device

A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UniFi OS to execute a Command Injection on the host device.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
5.1.19
Affected Products
12

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A command injection vulnerability in UniFi OS (affecting Ubiquiti devices including Dream Machines, Dream Routers, Enterprise Fortress Gateways, Cloud Keys, and Network Video Recorders) allows a network-accessible attacker with any low-privilege account to inject and execute arbitrary operating system commands on the host device. The flaw stems from improper input validation, meaning user-supplied input reaches a system shell without adequate sanitization. Successful exploitation gives the attacker full control over the host, including the ability to read all data, modify system files, and disrupt services. A patched-image rebuild at version 5.1.19 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-54402 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from UniFi OS base layers. Any image in a connected registry or CI pipeline running a version below 5.1.19 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.9 Critical (v3.1) and weights it against each environment's compliance policy to determine priority and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules for the affected image or workload.

Available
Patch

A patched-image rebuild at UniFi OS version 5.1.19 becomes available on HarborGuard once the upstream fix is confirmed, enabling customers to pull a remediated base image without delay. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the UniFi OS service over the network; no physical or local access is required.

  • AuthenticationRequired

    A low-privilege account on the device is sufficient; no administrative or elevated credentials are needed beyond basic login access.

  • Victim interactionNot required

    No user action or social engineering is needed; the attacker triggers the vulnerability directly without any victim participation.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

Blast Radius

  • The attacker executes arbitrary operating system commands on the host device with the privileges of the vulnerable process.
  • All data stored on the device, including network configuration, credentials, and captured video footage on NVR models, is readable by the attacker.
  • The attacker can modify system files, persist backdoors, or alter network routing and firewall rules on the host.
  • The affected service and the broader device can be crashed or rendered unavailable, disrupting network management and security enforcement.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-54402 is active across all connected registries and pipelines, flagging any image running UniFi OS below version 5.1.19. A patched-image rebuild at version 5.1.19 is available for customers whose images use an affected UniFi OS base layer. For customers with auto-remediation enabled, HarborGuard triggers a rebuild at the fixed version, runs a regression test run against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context and remediation instructions. Given the critical severity and scope change (S:C) in the CVSS vector, meaning a successful exploit can affect resources beyond the vulnerable component itself, customers who cannot immediately apply the patch should consider network-policy controls to restrict which hosts can reach UniFi OS management interfaces.

See how HarborGuard automates this

Fix available

5.1.19
Affected packages
  • Ubiquiti Inc / UniFi OS Server
    < 5.1.19 (from 0)
  • Ubiquiti Inc / Dream Machines
    < 5.1.19 (from 0)
  • Ubiquiti Inc / Enterprise Fortress Gateway
    < 5.1.19 (from 0)
  • Ubiquiti Inc / Dream Wall
    < 5.1.19 (from 0)
  • Ubiquiti Inc / Dream Routers
    < 5.1.19 (from 0)
  • Ubiquiti Inc / Express 7
    < 5.1.19 (from 0)
  • Ubiquiti Inc / Cloud Keys
    < 5.1.19 (from 0)
  • Ubiquiti Inc / Network Video Recorders
    < 5.1.19 (from 0)
  • Ubiquiti Inc / Enterprise Video Recorders
    < 5.1.19 (from 0)
  • Ubiquiti Inc / Cloud Gateways
    < 5.1.19 (from 0)
  • Ubiquiti Inc / Network Attached Storage
    < 5.1.19 (from 0)
  • Ubiquiti Inc / Enterprise Firewall Core
    < 5.1.19 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H