CVE-2026-55115: A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) in UniFi Protect Application to escalate privileges on the host device
A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) in UniFi Protect Application to escalate privileges on the host device.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- 7.1.83
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A Server-Side Request Forgery (SSRF) vulnerability affects the UniFi Protect Application by Ubiquiti Inc. The flaw is reachable over the network and requires only a low-privilege account; no additional user interaction is necessary. Successful exploitation allows an attacker to escalate privileges on the host device, with full confidentiality, integrity, and availability impact on resources beyond the application itself. A patched-image rebuild at version 7.1.83 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-55115 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle the UniFi Protect Application. Coverage applies to images in both connected registries and active CI/CD pipelines.
AvailableHarborGuard is capable of surfacing this CVE with its CVSS v3.1 score of 9.9 (Critical) and applying per-environment compliance policy weighting to determine urgency. Triage routing directs findings to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild targeting UniFi Protect Application version 7.1.83 becomes available through HarborGuard once the affected image is identified. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the UniFi Protect Application service over the network; no local access or physical presence is required.
- AuthenticationRequired
A low-privilege account on the application is sufficient; no administrative or elevated credentials are needed to begin the attack.
- Victim interactionNot required
No action from another user or victim is necessary; the attacker can trigger the SSRF entirely on their own.
- Attack complexityDetail
Exploit conditions are straightforward and require no race conditions, special memory layout, or environmental prerequisites, making the attack reliably repeatable.
Blast Radius
- Reads sensitive data from internal services reachable by the host, including configuration files, credentials, and session material.
- Modifies data or issues commands to internal network services by forging requests that originate from the trusted host.
- Escalates privileges on the underlying host device, potentially gaining root or system-level control.
- Crashes or disrupts the host device or dependent services through unrestricted access to internal endpoints.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-55115 is active across all connected registries and pipelines, matching any image that includes a vulnerable version of UniFi Protect Application (below 7.1.83). Given the Critical severity and the scope-changed CVSS vector, this CVE is prioritized for immediate triage routing. A patched-image rebuild at version 7.1.83 is available for qualifying images. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, executes a regression test run against the updated image, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before merging, the PR and associated test results are staged and waiting for approval.
Fix available
- Ubiquiti Inc / UniFi Protect Application< 7.1.83 (from 0)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H