Carlos Vieira

We just received a bounty reward from UniFi for reporting a vulnerability affecting UniFi OS devices. As part of the Hakai Labs (Hakai Offsec) research team at QuimeraX Intelligence, we independently identified a Path Traversal vulnerability (CVE-2026-34911) that allowed an attacker with network access to access internal routes on the underlying system without a valid token, exposing a sensitive information. Our research was conducted independently, but the vulnerability we reported could be chained with other vulnerabilities disclosed during the same period, including Improper Access Control and Command Injection flaws reported by other researchers. When combined, these issues lead to a pre-auth RCE affecting multiple UniFi OS products. Affected products include UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR-Pro, UNVR-Instant, ENVR, UCG-Ultra, UCG-Max, UCG-Fiber, and several other UniFi OS devices. We strongly recommend updating affected systems to the latest available version. Technical details remain under coordinated disclosure, and the only public information currently available is UniFi’s Security Advisory Bulletin.