May 2, 2026Vulnerability Analysis

CVE-2026-22557: Ubiquiti UniFi Network Application Path Traversal — Critical CVSS 10.0 Account Takeover

Executive Summary

CVE-2026-22557 is a maximum-severity (CVSS 10.0) unauthenticated path traversal vulnerability in Ubiquiti's UniFi Network Application that allows any network-accessible attacker to read and manipulate arbitrary files on the host operating system — ultimately enabling full account takeover of the UniFi controller. Disclosed in March 2026 under Ubiquiti Security Advisory Bulletin 062, this flaw affects tens of thousands of UniFi Network controllers deployed in homes, enterprises, and managed service providers worldwide. Patch immediately by upgrading to UniFi Network Application 10.1.89 (or 10.2.97 on the release candidate track).

1. What Is This Vulnerability?

CVE-2026-22557 is a classic path traversal vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) in the Ubiquiti UniFi Network Application. The application exposes one or more HTTP endpoints that accept a filename or file path as a user-supplied parameter. Because the application fails to sanitize or canonicalize that input, an attacker can inject directory traversal sequences (../) to escape the intended working directory and reach arbitrary locations on the host filesystem.

The CVSS v3.1 vector string — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H — tells the full story: the attack is network-reachable, requires low complexity, demands no privileges and no user interaction, and the blast radius extends beyond the application itself to affect the underlying system. That combination produces the maximum score of 10.0.

Two additional vulnerabilities were disclosed alongside CVE-2026-22557 in the same advisory:

CVE	Type	CVSS	Notes
CVE-2026-22557	Path Traversal	10.0 Critical	No auth required; file read/write → account takeover
CVE-2026-22558	NoSQL Injection	7.7 High	Authenticated; privilege escalation via MongoDB query manipulation
CVE-2026-22559	Improper Input Validation	8.8 High	Social-engineering link required; can lead to account takeover

This article focuses primarily on CVE-2026-22557, the most severe of the three.

Attack Vector

The exploit chain is straightforward:

Identify the endpoint. The UniFi Network Application (a Java-based server) exposes HTTP endpoints typically on port 8443 (HTTPS). An endpoint accepts a path or filename parameter — e.g., something like GET /api/v1/export?file=reports/monthly.csv.
Inject traversal sequences. The attacker substitutes the filename with a crafted traversal path:
```
GET /api/v1/export?file=../../../../etc/passwd HTTP/1.1
Host: unifi.internal:8443
```
Because the server concatenates the user input directly with the application base directory without sanitization, the resulting path resolves to /etc/passwd (or any other file on the host).
Access sensitive files. Targets of interest include MongoDB credential files, the UniFi system.properties configuration (which may contain secret keys), admin session tokens, or the MongoDB data directory itself.
Escalate to account takeover. By reading or overwriting credential-related files — for example, extracting MongoDB authentication hashes or replacing a stored session token — the attacker achieves full administrative control over the UniFi controller and all managed devices.

Pseudocode illustrating the vulnerable pattern:

// VULNERABLE: direct concatenation without path normalization
String baseDir = "/opt/unifi/data/reports/";
String userInput = request.getParameter("file");        // attacker-controlled
String targetPath = baseDir + userInput;                // no validation
File f = new File(targetPath);
sendFileToClient(f);                                    // exposes arbitrary files

// SAFE: normalize and validate that resolved path stays inside baseDir
String baseDir = "/opt/unifi/data/reports/";
String userInput = request.getParameter("file");
Path basePath   = Paths.get(baseDir).toRealPath();
Path resolved   = basePath.resolve(userInput).normalize();
if (!resolved.startsWith(basePath)) {
    throw new SecurityException("Path traversal attempt detected");
}
File f = resolved.toFile();
sendFileToClient(f);

Real-World Impact

Although no widespread mass exploitation campaign had been publicly confirmed as of publication, Ubiquiti classified the flaw as requiring immediate remediation. The UniFi Network Application is one of the most widely deployed prosumer and enterprise Wi-Fi/network management platforms globally. An attacker with visibility into a network segment hosting an unpatched controller — whether from inside a corporate LAN, a compromised IoT device, or a VPN endpoint — can silently take over the entire network management layer, including all UniFi APs, switches, gateways, and cameras under that controller's management. Managed service providers (MSPs) running UniFi in multi-tenant environments face an amplified risk: a single vulnerable controller could expose every client network it manages.

2. Who Is Affected?

Affected Products and Versions

Track	Affected Versions	Patched Version
UniFi Network Application (Official Release)	10.1.85 and earlier	10.1.89 or later
UniFi Network Application (Release Candidate)	10.2.93 and earlier	10.2.97 or later
UniFi Express (UX) with integrated UniFi Network	9.0.114 and earlier	4.0.13 firmware (includes Network 9.0.118+)
UniFi Network Server (self-hosted)	10.1.85 and earlier	10.1.89 or later

Scope of Exposure

Any deployment where the UniFi Network Application's management interface is reachable over the network is at risk. This includes:

Cloud Key Gen2 / Gen2+ running an unpatched Network Application version
Self-hosted UniFi Network Server on Linux or Windows
UniFi Dream Machine, Dream Router, Dream Wall with embedded Network Application
UniFi Express devices running firmware ≤ 4.0.13

Network exposure is not limited to the internet. The CVSS attack vector of AV:N means that any attacker on the same LAN segment — including a compromised endpoint, a rogue wireless device, or an insider threat — can exploit the flaw without needing to traverse a firewall.

3. How to Detect It (Testing)

Manual Testing Steps

Note: Only perform these tests against systems you own or have explicit written authorization to test.

Step 1 — Identify the UniFi controller port and version

# From a host with network access to the controller
nmap -sV -p 8443,8080 <controller-ip>

Look for Ubiquiti UniFi in the service banner or the X-UniFi-* HTTP headers.

Step 2 — Retrieve the application version

curl -sk https://<controller-ip>:8443/api/v2/info | python3 -m json.tool | grep -i version

If the version is ≤ 10.1.85 (official) or ≤ 10.2.93 (RC), the system is potentially vulnerable.

Step 3 — Attempt a path traversal request (proof-of-concept)

# Attempt to traverse out of the application directory
curl -sk "https://<controller-ip>:8443/api/v1/export?file=../../../../etc/hostname"

Indicators of vulnerability:

Response body contains the hostname or contents of a system file (confirms exploit success)
HTTP 200 with unexpected content in the body
HTTP 500 with a Java stack trace referencing unexpected filesystem paths

Step 4 — Check for write access (if read access confirmed) Attempt to write a canary file into a world-writable directory (e.g., /tmp) via any write-capable endpoint, then verify its presence.

Automated Scanning

Nuclei template (community templates repository includes CVE-2026-22557 coverage):

nuclei -t cves/2026/CVE-2026-22557.yaml -u https://<controller-ip>:8443

Nessus / Tenable: Search for plugin ID covering CVE-2026-22557 in the Tenable plugin feed (available post-March 2026 feed update). Run a credentialed scan against the host.

runZero / Asset Discovery: runZero published a detection blog for CVE-2026-22557. Import fingerprints from their blog into your asset inventory to identify affected controllers across your fleet automatically.

OWASP ZAP (active scan):

Configure ZAP to proxy traffic to the UniFi management interface (bypass SSL validation for testing environments).
Enable the Path Traversal active scan rule.
Crawl the authenticated session and run the active scan.
Review alerts for ../ injection findings on file-serving endpoints.

Code Review Checklist

If you run a custom integration or have access to the UniFi Network Application source or plugins, review the following:

All file path parameters are normalized using Path.normalize() or equivalent before use
Resolved paths are validated to confirm they remain under the intended base directory (startsWith(basePath))
No direct string concatenation is used to build file paths from user-controlled input
Endpoints serving files require authentication (especially relevant for CVE-2026-22557's unauthenticated vector)
The application runs under a dedicated low-privilege OS user, not root
File serving endpoints use an allowlist of permitted filenames or file extensions rather than accepting arbitrary paths

4. How to Fix It (Mitigation)

Step-by-Step Remediation

Option A — Update via the UniFi Network Application UI (recommended for most users)

Log into your UniFi Network Application (typically https://<controller-ip>:8443).
Navigate to Settings → System → Updates.
If version 10.1.89 (or later) is available, click Update and follow the prompts.
After the update completes, verify the new version under Settings → System → Controller Version.
Restart the UniFi service to ensure all changes are applied:
```
sudo systemctl restart unifi
```

Option B — Manual update on a self-hosted Linux UniFi Network Server

# Download the latest official release
wget https://dl.ui.com/unifi/<version>/unifi_sysvinit_all.deb

# Stop the current service
sudo systemctl stop unifi

# Install the new package
sudo dpkg -i unifi_sysvinit_all.deb

# Start and verify
sudo systemctl start unifi
sudo systemctl status unifi

Option C — UniFi Express firmware update

Open the UniFi Express web interface.
Go to Settings → Firmware → Check for Updates.
Apply firmware 4.0.13 or later, which bundles a patched UniFi Network Application (9.0.118+).

Option D — Network-level mitigation (while patching is in progress)

If immediate patching is not feasible, restrict access to the UniFi management interface at the network perimeter:

# Example: Allow only trusted management subnets to reach port 8443
# (iptables — adjust for your environment)
sudo iptables -A INPUT -p tcp --dport 8443 -s <trusted-mgmt-subnet>/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8443 -j DROP
sudo iptables -A INPUT -p tcp --dport 8080 -s <trusted-mgmt-subnet>/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP

Code Fix Example (for developers building atop the UniFi platform)

If your application or plugin passes user input to file operations:

// BEFORE — Vulnerable
public ResponseEntity<byte[]> downloadFile(
        @RequestParam String filename) throws IOException {
    File f = new File("/opt/unifi/data/exports/" + filename);
    return ResponseEntity.ok(Files.readAllBytes(f.toPath()));
}

// AFTER — Safe
public ResponseEntity<byte[]> downloadFile(
        @RequestParam String filename) throws IOException {
    Path baseDir = Paths.get("/opt/unifi/data/exports/").toRealPath();
    Path resolved = baseDir.resolve(filename).normalize();

    // Enforce containment: resolved path must start with baseDir
    if (!resolved.startsWith(baseDir)) {
        return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
    }

    return ResponseEntity.ok(Files.readAllBytes(resolved));
}

Configuration Hardening

Even after patching, apply these hardening measures to reduce the risk surface:

Run UniFi as a non-root user. The default unifi system user should not have read access to /etc/shadow, /etc/passwd owner-write files, or other sensitive locations outside the application directory.
Enable MongoDB authentication. Ensure the embedded MongoDB instance (if used) requires credentials and is not bound to 0.0.0.0.
Restrict management port exposure. Ports 8443 and 8080 should never be exposed to the internet. Use a VPN or SSH tunnel for remote management.
Enable audit logging. Configure the UniFi system logger to capture all API requests, especially any returning unexpected HTTP 200 responses from file-serving endpoints.
Apply filesystem permissions. Ensure the UniFi data directory (/var/lib/unifi or /opt/unifi/data) has restrictive permissions and is not readable by other OS users.

5. How to Test the Fix (Validation)

Regression Test Scenarios

Scenario A — Verify traversal is blocked: After updating, re-run the manual traversal test from Section 3. The response should return HTTP 400 or 403, not file contents.
Scenario B — Verify normal functionality is preserved: Log into the UniFi Network Application, navigate to Insights → Export, and confirm that legitimate export functionality still works correctly and returns expected data.
Scenario C — Verify version bump: Confirm the running version via Settings → System and via the API endpoint to ensure the patched version is active and the service did not revert.

Security Test Cases

Test Case 1: Path traversal attempt is rejected

Precondition: Update applied; UniFi Network Application is at version 10.1.89+.
Steps: Send the traversal request: curl -sk "https://<controller-ip>:8443/api/v1/export?file=../../../../etc/hostname"
Expected Result: HTTP 400 (Bad Request) or HTTP 403 (Forbidden); body does not contain /etc/hostname contents.

Test Case 2: Null-byte injection is rejected

Steps: Send curl -sk "https://<controller-ip>:8443/api/v1/export?file=../../../../etc/passwd%00.csv"
Expected Result: HTTP 400 or 403; no file contents returned.

Test Case 3: Encoded traversal sequences are rejected

Steps: Send URL-encoded variant: file=..%2F..%2F..%2F..%2Fetc%2Fpasswd
Expected Result: HTTP 400 or 403; no file contents returned.

Test Case 4: Double-encoded traversal is rejected

Steps: Send double-encoded variant: file=..%252F..%252F..%252Fetc%252Fpasswd
Expected Result: HTTP 400 or 403; attack does not succeed.

Automated Validation Test (Python)

import requests
import sys

CONTROLLER = "https://<controller-ip>:8443"
TRAVERSAL_PAYLOADS = [
    "../../../../etc/hostname",
    "..%2F..%2F..%2F..%2Fetc%2Fhostname",
    "..%252F..%252Fetc%252Fhostname",
    "....//....//....//etc/hostname",
]

def test_path_traversal(controller: str, payloads: list[str]) -> None:
    for payload in payloads:
        url = f"{controller}/api/v1/export?file={payload}"
        try:
            resp = requests.get(url, verify=False, timeout=10)
            if resp.status_code == 200 and len(resp.text) > 0 and "root" not in resp.text:
                print(f"[INCONCLUSIVE] {payload} → HTTP {resp.status_code}")
            elif resp.status_code == 200 and ("root" in resp.text or "localhost" in resp.text):
                print(f"[VULNERABLE] {payload} → HTTP {resp.status_code}: {resp.text[:80]}")
                sys.exit(1)
            else:
                print(f"[SAFE] {payload} → HTTP {resp.status_code}")
        except requests.exceptions.RequestException as e:
            print(f"[ERROR] {payload} → {e}")

if __name__ == "__main__":
    import urllib3
    urllib3.disable_warnings()
    test_path_traversal(CONTROLLER, TRAVERSAL_PAYLOADS)
    print("\nAll traversal payloads blocked. Patch validated.")

6. Prevention & Hardening

Best Practices

Never expose the UniFi management interface to the public internet. Use VPN, WireGuard, or Tailscale for remote management access. CISA's Known Exploited Vulnerabilities guidance routinely flags internet-exposed management interfaces as high-priority targets.
Subscribe to Ubiquiti Security Advisories. Monitor the Ubiquiti Community Security Advisories feed and apply patches within your organization's SLA window for Critical severity (typically 24–72 hours for CVSS 10.0).
Maintain an asset inventory of UniFi controllers. Tools like runZero can enumerate all UniFi-managed controllers on your network so you have complete visibility when a new advisory drops.
Apply the principle of least privilege to the UniFi service account. The OS user running the UniFi Network Application process should have access only to /opt/unifi or /var/lib/unifi, with no read access to sensitive system directories.
Segment the management network. Place UniFi controllers on a dedicated management VLAN with strict firewall rules preventing access from production and guest VLANs.

Monitoring & Detection

To detect active exploitation attempts against your UniFi controllers:

Application-level logging:

# Monitor UniFi application log for anomalous file-serving responses
tail -f /var/log/unifi/server.log | grep -E "(export|download|file=)" | grep -v "200 OK"

Web Application Firewall (WAF) / IDS signatures: Block or alert on requests to the UniFi API containing traversal sequences:

# Snort/Suricata rule (example)
alert tcp any any -> $UNIFI_SERVERS 8443 \
  (msg:"CVE-2026-22557 UniFi Path Traversal Attempt"; \
   content:"GET"; http_method; \
   pcre:"/(\.\.[\/\\]|%2e%2e[%2f%5c]|%252e%252e)/Ui"; \
   classtype:web-application-attack; \
   sid:20262255701; rev:1;)

SIEM alerting: Create an alert for any HTTP 200 responses from the UniFi management interface that originate from IP addresses outside your authorized management VLAN. Unusual success responses from file-serving endpoints are a strong indicator of exploitation.

Periodic vulnerability scanning: Schedule monthly authenticated scans of your UniFi infrastructure with Nessus, Qualys, or Tenable.io to catch version drift before it becomes a window of exposure.

References

CVE Entry: CVE-2026-22557 — NVD
Official Advisory: Ubiquiti Security Advisory Bulletin 062
Patch Download: Ubiquiti Downloads Portal — UniFi Network
BleepingComputer Coverage: Max severity Ubiquiti UniFi flaw may allow account takeover
Censys Advisory: March 19 Advisory: Ubiquiti UniFi Network Application Remote Path Traversal
CyCognito Analysis: Emerging Threat: UniFi Path Traversal CVE-2026-22557
Truesec Writeup: Multiple Vulnerabilities in Ubiquiti UniFi Network Application
runZero Detection Guide: UniFi Network Application: Find Affected Assets
Penligent Analysis: CVE-2026-22557 — Why a Path Traversal Bug Became a CVSS 10 Emergency
SentinelOne Database: CVE-2026-22557 UniFi Network Path Traversal Vulnerability