Ubiquiti released security updates patching seven critical-to-maximum severity vulnerabilities across its UniFi OS product line, with the lead flaw — CVE-2026-50746, a maximum-severity command injection in the UniFi Connect Application — requiring only network access to exploit. Threat intelligence from Censys shows more than 100,000 UniFi OS instances accessible from the internet, with nearly 50,000 in the United States.
CVE-2026-50746: Command Injection in UniFi Connect Application Requires Only Network Access
CVE-2026-50746 affects UniFi Connect Application versions 3.4.16 and earlier. It is an improper access control command injection: any attacker with network connectivity to an affected device can inject and execute arbitrary commands directly on the host system without credentials, without special privileges, and without any user interaction. Network reachability to the device is the only requirement.
Ubiquiti classifies CVE-2026-50746 as maximum severity. The remediated version is UniFi Connect Application 3.4.20 or later.
The attack profile — authenticated or not, low complexity, no interaction — describes a class of vulnerability that historically attracts rapid weaponization. Once a device is reachable from an attacker’s network position, the window between disclosure and exploitation can be measured in hours, not days, particularly for widely-deployed network infrastructure products.
Six More Critical CVEs Cover UniFi Talk, Access, Protect, OS Server, Routers, and NAS
The July 8 update package addresses six additional critical-severity vulnerabilities alongside CVE-2026-50746: CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-54402, CVE-2026-55115, and CVE-2026-55116. These affect UniFi Talk, UniFi Access, UniFi Protect, UniFi OS Server, and Ubiquiti’s routers, gateways, NAS devices, and surveillance systems.
Six of the seven patched flaws share CVE-2026-50746’s low-complexity, no-user-interaction exploitation profile. The scope of affected product categories means that in a typical Ubiquiti-deployed network, the unpatched window exposes not one system type but the full breadth of network, storage, surveillance, communications, and access-control hardware simultaneously.
Sectors with Slower Patch Cycles and Why the 100,000-Instance Exposure Figure Matters
Censys tracks more than 100,000 internet-accessible UniFi OS instances globally, with nearly 50,000 in the United States. Ubiquiti’s price point and feature set have made the product line a common choice in university campuses, healthcare networks, small-to-medium businesses, and government facilities — environments where security patching cycles are often slower than those in large enterprise IT organizations.
That concentration of deployment in sectors with extended patch cadences, combined with the all-network-access attack profile of six of the seven CVEs, produces an extended exposure window for the bulk of the affected install base. An internet-accessible UniFi OS device running an unpatched version of any affected application is reachable by any attacker on the public internet.
How the July 8 Batch Differs from Ubiquiti’s May 2026 Disclosure
This advisory is distinct from the three maximum-severity UniFi OS flaws Ubiquiti patched in May 2026. The July 8 release covers seven entirely new CVE identifiers — CVE-2026-50746 through CVE-2026-55116 — none of which overlap with the prior disclosure. Administrators who applied the May patches must still apply the July update to close the new vulnerabilities.
Ubiquiti’s security advisory includes specific patched version targets for each affected product. For CVE-2026-50746, the target is UniFi Connect Application 3.4.20 or later. Administrators running UniFi Talk, UniFi Access, UniFi Protect, UniFi OS Server, and the affected routers, gateways, NAS, and surveillance products should consult the advisory for the corresponding update version for each product line.
For organizations with internet-facing UniFi OS deployments, the exposure is immediate: the public internet provides network access, and six of the seven vulnerabilities require nothing more than that. For internal deployments, the threat is bounded to network-adjacent positions, though lateral movement after initial access remains a standard attacker technique in environments where Ubiquiti hardware is part of the campus or facility backbone.
