CVE-2026-34910
Published: 22 May 2026
Summary
CVE-2026-34910 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Ui Unifi Os Server. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
A malicious actor with network access could exploit an Improper Input Validation vulnerability (CWE-20) in UniFi OS devices to perform command injection. The flaw carries a CVSS 3.1 base score of 10.0, reflecting network attack vector, low complexity, no required privileges or user interaction, and changed scope with high impact on confidentiality, integrity, and availability.
An unauthenticated attacker reachable over the network can supply crafted input that results in arbitrary command execution on the affected device, potentially allowing full compromise of the UniFi OS system and any connected infrastructure.
Ubiquiti has published Security Advisory Bulletin 064, available at the referenced community.ui.com URL, which addresses the issue for UniFi OS devices. The EPSS score remains flat at 0.1815 with no material increase observed since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31382
Vulnerability details
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
- CWE(s)
- KEV Date Added
- 23 June 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Network-accessible improper input validation enabling remote command injection directly maps to public-facing app exploitation (T1190) and arbitrary command execution via shell (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input to the UniFi OS interfaces, blocking the crafted payloads that trigger command injection.
Enforces boundary protection and network segmentation so that unauthenticated attackers cannot reach the vulnerable UniFi OS services.
Mandates timely application of the vendor patch published in Security Advisory Bulletin 064, eliminating the improper-input-validation flaw.