Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-50746

Ubiquiti UniFi Connect command injection (Bulletin 066)

Improper access control in Ubiquiti UniFi Connect ≤3.4.16 lets an attacker with network access execute command injection on the host device. CVSS 10.0. Fixed in 3.4.20.

cat cve-2026-50746.json
Vendor
Ubiquiti
Product
UniFi Connect (3.4.16 and earlier)
CVSS
10.0
EPSS (exploit probability)
N/A
Status
patched
Published

CVE-2026-50746 is the max-severity item in Ubiquiti’s Security Advisory Bulletin 066: an improper access control in UniFi Connect that permits command injection on the host device by an actor with network access to the appliance. NVD rates it CVSS 10.0 critical.

Affected

  • Ubiquiti UniFi Connect — versions 3.4.16 and earlier.

Patched

  • UniFi Connect 3.4.20 or later.

Exploitation status

  • No confirmed in-the-wild exploitation as of publication; Ubiquiti “has yet to disclose whether any of these vulnerabilities were exploited in the wild,” per BleepingComputer.
  • No public proof-of-concept posted.
  • Not on CISA KEV at time of publication.

Companion CVEs in Bulletin 066

The same bulletin covers six additional critical vulnerabilities across UniFi OS, UniFi Access, and adjacent applications:

Sourcing