CVE-2026-34909

What is Ubiquiti UniFi OS?

Ubiquiti UniFi OS is the embedded operating system powering Ubiquiti's enterprise networking appliances — Dream Machines, Cloud Gateways, UniFi NVRs, UNAS, and UniFi Express devices. It hosts network management, video surveillance, physical access control, VPN, and identity services on a single appliance. Approximately 100,000 UniFi OS endpoints were internet-exposed at the time of disclosure (Censys).

Overview

CVE-2026-34909 is a path traversal vulnerability in Ubiquiti UniFi OS. It is the second step in a three-CVE exploit chain — CVE-2026-34908 (authentication bypass) + CVE-2026-34909 (path traversal) + CVE-2026-34910 (command injection) — that together deliver unauthenticated root-level remote code execution. In this chain, the path traversal is used to navigate from a nominally public URI to internal file service routes, exposing sensitive system artifacts including signing keys, TLS certificates, and credential stores. The signing key is particularly consequential: exfiltrating it allows an attacker to forge admin sessions that remain valid even after the appliance is patched.

CISA added all three UniFi OS CVEs to the KEV catalog on June 23, 2026.

Affected Versions

Technical Details

CVE-2026-34909 exploits the same URI normalization mismatch in UniFi OS's authentication gateway that underlies CVE-2026-34908. The path traversal mechanism embeds percent-encoded sequences (..%2f, %2e%2e, %2e%2e%2f) within the request URI. The raw URI (evaluated by the auth gateway) begins with a public-route prefix and passes authentication. The normalized URI (used by Nginx for routing) resolves the traversal sequences and maps to a protected internal file service path.

This gives an unauthenticated attacker read access to arbitrary files on the underlying OS, most critically:

• Signing keys used to authenticate admin sessions — persistent across credential resets
• TLS private keys for the management interface
• Cloud access tokens linking the appliance to Ubiquiti's cloud infrastructure
• The credential database containing admin password hashes
• RADIUS, WiFi, VPN, NFC, and physical access control data

The patch in UniFi OS Server 5.0.8 normalizes URIs before allowlist checking so raw and decoded paths are always evaluated equivalently, closing the traversal surface.

Discovery

CVE-2026-34909 was reported by Abdulaziz Almadhi of Catchify Security through Ubiquiti's HackerOne bug bounty program. Ubiquiti credited the researcher in Security Advisory Bulletin 064, published May 21–22, 2026.

Exploitation Context

CISA's KEV designation confirms exploitation in the wild. CVE-2026-34909 is the second step of the three-CVE chain:

1. CVE-2026-34908 — Auth bypass: authentication gateway approves a crafted percent-encoded request targeting an internal route
2. CVE-2026-34909 (this CVE) — Path traversal: access internal file service routes to read signing keys and credentials
3. CVE-2026-34910 — Command injection: reach the package-update endpoint and execute arbitrary shell commands as root

The signing key exfiltrated via CVE-2026-34909 is the most dangerous artifact: it allows forging admin sessions that remain valid even after patching, because firmware updates do not automatically rotate the signing key. Bishop Fox's June 8, 2026 analysis notes that previously compromised instances may retain attacker-forged access that patching alone does not eliminate.

Beyond key theft, file access in the exploit chain enables extraction of the full credential database, cloud tokens, and on access-control-equipped hardware, physical security data (NFC keys, facial recognition profiles, door lock credentials).

Remediation

1. Update UniFi OS to the patched version for your hardware (see Affected Versions table above).
2. Restrict management interface access — ensure the UniFi OS management portal is not directly internet-accessible; require VPN for all remote administration.
3. Assume key compromise on previously exposed instances — if your device was internet-accessible before patching, treat the signing key and all stored credentials as compromised: rotate admin passwords, revoke and reissue TLS certificates, invalidate cloud tokens, and contact Ubiquiti support for signing key rotation procedures.
4. Use the Bishop Fox detection tool (github.com/BishopFox/CVE-2026-34908-check) to assess whether your instance was or remains vulnerable.
5. Audit admin sessions — revoke all existing admin sessions and re-authenticate after patching to flush any forged tokens issued using a stolen signing key.
6. Review connected physical access systems — if the appliance manages door locks, NFC readers, or cameras, audit access logs and rotate physical credentials that may have been exfiltrated.