CVE-2026-55116: A malicious actor with access to the network and under certain network configurations could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices
A malicious actor with access to the network and under certain network configurations could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices.
Metrics
- CVSS v3.1
- 9.0
- Severity
- CRITICAL
- Fixed in
- 5.1.19
- Affected Products
- 7
HarborGuard Analysis
Synopsis
An improper access control vulnerability in UniFi OS (affecting Ubiquiti Dream Machines, Dream Routers, Dream Wall, Enterprise Fortress Gateway, Enterprise Firewall Core, Express 7, and Cloud Gateways) allows a network-adjacent attacker with no authentication to make unauthorized changes to the device. The vulnerability is reachable over the network and requires no user interaction, though certain network configurations must be in place for exploitation. Successful exploitation gives an attacker full read, write, and availability impact across the affected device, including the ability to alter device configuration and disrupt operation. A patched-image rebuild at version 5.1.19 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-55116 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected UniFi OS base layers. Coverage applies regardless of whether the affected image originates from a public registry or an internally maintained build.
AvailableHarborGuard scores this finding at CVSS 9.0 (Critical) using the published v3.1 vector, and per-environment compliance policy weighting is available to escalate or adjust priority based on each organization's risk posture. Triage routing is available to direct the finding to the appropriate team inbox within each customer org based on affected workload ownership.
AvailableA patched-image rebuild at UniFi OS version 5.1.19 becomes available in HarborGuard the moment the fix version is confirmed against the advisory record. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected UniFi OS device over the network; the AV:N vector token confirms the service must be exposed to network-based requests.
- AuthenticationNot required
No account or credential is needed; PR:N means the attacker can interact with the vulnerable component without any prior authentication.
- Victim interactionNot required
The exploit proceeds without any action from a logged-in user or administrator; UI:N confirms no social engineering or victim click is required.
- Attack complexityDetail
AC:H indicates exploitation is not condition-free: certain network configurations must be present, and the attacker may need to satisfy specific environmental factors before the access control bypass is reachable.
Blast Radius
- A successful attacker can read sensitive device configuration data, credentials, and operational state stored on the UniFi OS device.
- The attacker can write arbitrary configuration changes to the device, including altering firewall rules, routing tables, and administrative account settings.
- The attacker can crash or render the device unresponsive, disrupting network connectivity for all hosts behind the affected gateway or router.
- Because the CVSS scope is Changed (S:C), impact can extend beyond the vulnerable component itself to downstream network segments or dependent systems managed by the device.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-55116 is active across all connected environments, matching against any image built on or incorporating affected UniFi OS versions below 5.1.19. A patched-image rebuild targeting version 5.1.19 is available for affected images once the fix version is confirmed. For customers with auto-remediation enabled, HarborGuard can trigger the rebuild, execute regression tests, and open a pull request against affected workloads automatically; the median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS 9.0 Critical scoring and full vector context attached. Given the AC:H requirement for specific network configurations, customers may also wish to apply compensating controls such as network-policy isolation restricting management-plane access to the affected devices while a patched image is validated and promoted.
Fix available
- Ubiquiti Inc / Dream Machines< 5.1.19 (from 0)
- Ubiquiti Inc / Enterprise Fortress Gateway< 5.1.19 (from 0)
- Ubiquiti Inc / Dream Wall< 5.1.19 (from 0)
- Ubiquiti Inc / Dream Routers< 5.1.19 (from 0)
- Ubiquiti Inc / Express 7< 5.1.19 (from 0)
- Ubiquiti Inc / Cloud Gateways< 5.1.19 (from 0)
- Ubiquiti Inc / Enterprise Firewall Core< 5.1.19 (from 0)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H