Critical Path‑Traversal Flaw in Ubiquiti UniFi Network App Enables Account Takeover (CVE‑2026‑22557)
What Happened – Ubiquiti disclosed two vulnerabilities in its UniFi Network application. The most severe, CVE‑2026‑22557 (CVSS 10.0), is a path‑traversal bug that allows an attacker on the same network to read arbitrary system files and manipulate them to hijack user accounts. A second issue (CVE‑2026‑22558, CVSS 7.7) permits privilege escalation via an authenticated NoSQL injection.
Why It Matters for TPRM –
- The flaw can be leveraged to gain full control of the management console that administers Wi‑Fi APs, switches and gateways across many enterprises.
- Compromise of the console exposes network topology, credentials, and potentially downstream systems.
- Vendors and service providers that rely on UniFi for client environments inherit this risk.
Who Is Affected – Organizations that deploy Ubiquiti UniFi networking gear and use the UniFi Network app (on‑premise or cloud) across any industry – notably technology, retail, education, healthcare, and managed‑service providers.
Recommended Actions –
- Verify that all UniFi Network app instances are running version 10.1.89 or later.
- If older versions are in use, apply the vendor patch immediately and conduct a post‑patch validation.
- Review network segmentation to ensure that only trusted hosts can reach the UniFi management interface.
- Audit logs for any anomalous file‑access or authentication activity since the vulnerability’s disclosure.
Technical Notes – The vulnerability is a path‑traversal flaw (CVE‑2026‑22557) that lets an attacker read/write files on the underlying OS, enabling credential theft and account takeover. The second issue (CVE‑2026‑22558) is an authenticated NoSQL injection that can elevate privileges. Both affect UniFi Network app ≤ 10.1.85; patches are available in 10.1.89+. Source: Security Affairs