CVE-2026-34908

What is Ubiquiti UniFi OS?

Ubiquiti UniFi OS is the embedded operating system powering Ubiquiti's enterprise networking appliances — Dream Machines (UDM, UDM Pro, UDM SE), Cloud Gateways (UCG-Ultra, UCG-Max), UniFi Network Video Recorders (UNVRs), the UniFi Network Application Server (UNAS), UniFi Express, and related hardware. UniFi OS hosts Ubiquiti's full application suite — network management, video surveillance, physical access control, VPN, and identity services — on a single appliance. These devices are deployed extensively in small businesses, enterprise branch offices, schools, and government facilities. Approximately 100,000 UniFi OS endpoints were internet-exposed at the time of disclosure (Censys), roughly half in the United States.

Overview

CVE-2026-34908 is an improper access control vulnerability in Ubiquiti UniFi OS that allows a network-accessible attacker to bypass authentication entirely and reach protected internal service routes. The flaw arises from a mismatch between how the authentication gateway evaluates request URIs (using the raw, percent-encoded form) and how Nginx routes them (using the normalized, decoded form). A crafted request with a percent-encoded URI passes the auth gateway's allowlist check while resolving to a restricted internal endpoint after normalization.

This authentication bypass is the entry point for a three-CVE exploit chain — CVE-2026-34908 + CVE-2026-34909 + CVE-2026-34910 — that together deliver unauthenticated root-level remote code execution on any reachable UniFi OS appliance. CISA added all three CVEs to the KEV catalog on June 23, 2026. Bishop Fox published a detailed technical analysis and free detection tool on June 8, 2026.

Affected Versions

Technical Details

UniFi OS routes incoming requests through an authentication gateway that compares the request URI against an allowlist of public (unauthenticated) paths. A separate Nginx layer proxies the request to backend services using the normalized URI — with percent-encoded sequences decoded and path segments resolved.

The vulnerability arises because the auth gateway compares the raw, percent-encoded URI while Nginx routes using the normalized URI. An attacker constructs a request whose raw URI begins with a public prefix (e.g., /api/auth/validate-sso/) so the gateway approves it, while the normalized form decodes percent-encoded path separators (%2f → /, %2e%2e → ..) and resolves to a protected internal /proxy/<service>/ route.

The fix in UniFi OS Server 5.0.8 adds a normalization guard that returns HTTP 400 when the raw and normalized service-name components of a URI diverge, eliminating the mismatch.

CVSS characteristics:

• AV:N — remotely exploitable over the network
• AC:L — no special conditions or race required
• PR:N — no credentials needed
• UI:N — no victim interaction
• S:C — scope changes; access is gained to backend services beyond the gateway itself

Discovery

CVE-2026-34908 was reported by Duc Anh Nguyen (@heckintosh_) through Ubiquiti's HackerOne bug bounty program. Ubiquiti credited the researcher in Security Advisory Bulletin 064, published May 21–22, 2026.

Exploitation Context

CISA's KEV designation confirms exploitation in the wild. With approximately 100,000 internet-exposed UniFi OS endpoints (Censys), this vulnerability family represents one of the largest attack surfaces in 2026.

CVE-2026-34908 is the authentication bypass that enables the full exploit chain:

1. CVE-2026-34908 (this CVE) — Auth bypass: percent-encoded URI passes gateway, normalized URI routes to internal service
2. CVE-2026-34909 — Path traversal: access internal file routes to exfiltrate signing keys and credentials
3. CVE-2026-34910 — Command injection: inject shell commands at the package-update endpoint → root RCE via malicious .deb

Post-exploitation in the full chain includes: exfiltration of signing keys used to forge persistent admin sessions, TLS private key disclosure, cloud access token theft, full credential database access, and on hardware-equipped appliances, physical access control (door locks, NFC credentials, facial recognition data).

Bishop Fox noted a critical limitation: patching closes the attack path but does not remediate prior compromises. Instances that were internet-exposed before patching may retain attacker persistence through signing key exfiltration or installed backdoors — none of which the firmware update removes.

Remediation

1. Update UniFi OS immediately to the patched version for your hardware (see Affected Versions table above). Apply via the UniFi console update mechanism.
2. Restrict management interface access — the UniFi OS management portal should not be directly reachable from the internet; require VPN for all remote administration.
3. Check for prior exposure — if your device was internet-accessible on unpatched firmware, assume potential compromise and investigate before trusting the appliance.
4. Use the Bishop Fox detection tool (github.com/BishopFox/CVE-2026-34908-check) to safely verify whether your instance was or is vulnerable.
5. Rotate signing keys and credentials — if prior exposure cannot be ruled out, rotate admin credentials, revoke and reissue certificates, and review cloud tokens; contact Ubiquiti support for signing key rotation guidance.
6. Monitor for persistence — check for unexpected scheduled tasks, modified startup scripts, or unauthorized packages installed on the appliance.