CVE-2026-34911 Overview
CVE-2026-34911 is a path traversal vulnerability [CWE-22] affecting UniFi OS devices from Ubiquiti. An authenticated attacker with low privileges and network access can traverse outside intended directories to read files on the underlying operating system. The exposed files may contain sensitive information that supports further compromise of the device or connected infrastructure.
The vulnerability carries a CVSS 3.1 score of 7.7 with a scope change, indicating that exploitation impacts resources beyond the vulnerable component. No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Critical Impact
Authenticated network attackers can read arbitrary files on UniFi OS devices, exposing configuration data, credentials, and operational secrets that enable lateral movement across managed networks.
Affected Products
- UniFi OS devices (Ubiquiti)
- UniFi OS-based consoles and gateways running affected firmware
- Refer to the vendor advisory for specific firmware version ranges
Discovery Timeline
- 2026-05-22 - CVE-2026-34911 published to NVD
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-34911
Vulnerability Analysis
The vulnerability resides in the request handling logic of UniFi OS, where user-supplied input is used to construct file system paths without sufficient validation. An attacker holding low-privilege credentials can submit crafted requests containing directory traversal sequences. The application resolves these sequences against the local file system, returning content outside the intended document root.
Because the CVSS vector specifies a changed scope, exploitation reaches resources managed by components other than the vulnerable web service. In practice, this means files belonging to the underlying Linux-based operating system become readable through the management interface. Sensitive material such as device configuration, session tokens, certificates, and credentials for adopted devices may be exposed.
The attack requires no user interaction and can be automated against any reachable UniFi OS management endpoint.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The application accepts file path components from the request and concatenates them without canonicalizing the result or enforcing a whitelist of permitted directories. Sequences such as ../ are not stripped or rejected before file system access occurs.
Attack Vector
An attacker first authenticates to UniFi OS with any low-privilege account. The attacker then issues an HTTP request to a vulnerable endpoint, supplying a file path parameter that includes traversal sequences pointing to system files. The server returns file contents in the response, which the attacker harvests for credentials, keys, and configuration data.
The vulnerability mechanism is described in the UI Community Security Advisory. No public proof-of-concept code has been released.
Detection Methods for CVE-2026-34911
Indicators of Compromise
- HTTP requests to UniFi OS management endpoints containing ../, ..%2f, or URL-encoded traversal sequences in path or query parameters
- Unexpected access patterns from low-privilege accounts targeting file retrieval endpoints
- Outbound response payloads containing strings consistent with /etc/passwd, /etc/shadow, or UniFi configuration files
Detection Strategies
- Inspect web access logs on UniFi OS devices for traversal patterns and unusual file-read parameters
- Correlate authentication events with subsequent high-volume file access requests from the same session
- Deploy network monitoring rules that flag traversal payloads against management interfaces on common UniFi ports
Monitoring Recommendations
- Forward UniFi OS application and authentication logs to a central log platform for retention and analysis
- Alert on any successful authentication by service or low-privilege accounts followed by abnormal API call volume
- Track outbound data transfer sizes from management interfaces to detect bulk file extraction
How to Mitigate CVE-2026-34911
Immediate Actions Required
- Apply the firmware update referenced in the UI Community Security Advisory to all UniFi OS devices
- Restrict network access to UniFi OS management interfaces to trusted administrative networks only
- Audit existing user accounts and remove unnecessary low-privilege accounts that could be abused
- Rotate credentials, API tokens, and certificates stored on affected devices after patching
Patch Information
Ubiquiti has published firmware updates addressing the path traversal flaw. Consult the vendor advisory for the specific UniFi OS versions that contain the fix and apply updates to all affected consoles, gateways, and integrated devices.
Workarounds
- Place UniFi OS management interfaces behind a VPN or jump host to eliminate direct network exposure
- Enforce strong, unique passwords and multi-factor authentication on all UniFi accounts to reduce abuse of low-privilege credentials
- Apply firewall rules that limit inbound connections to UniFi management ports from specific administrative IP ranges
# Example firewall rule restricting UniFi OS management access
iptables -A INPUT -p tcp --dport 443 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
