UniFi OS root with no password: CVE-2026-34910 and the unauthenticated RCE chain
A command-injection bug that, chained with two siblings, hands attackers a root shell on the box that runs your network, cameras and door locks

On its own, CVE-2026-34910 is a command-injection flaw in a UniFi OS Server update endpoint. The reason it's an emergency is the company it keeps: Bishop Fox showed it chains with two sibling bugs — CVE-2026-34908 (access-control / auth bypass) and CVE-2026-34909 (path traversal) — into a no-credentials, no-interaction path to root on the device that is the control plane for an organization's network, cameras and physical-access doors.
What CVE-2026-34910 is
CVE-2026-34910 is an improper-input-validation / command-injection flaw (CVSS 10.0, vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) in the package-update handler of Ubiquiti UniFi OS Server. An attacker supplies a crafted package name containing shell metacharacters (plus an option that forces the command code path), and the unvalidated input lands in a shell command. There is also an authentication-required variant, CVE-2026-33000 (CVSS 9.1).
The unauthenticated chain (per Bishop Fox)
Ubiquiti's advisory rated all three bugs maximum severity but didn't say they could be chained. Bishop Fox validated the full path on a live UniFi OS Server 5.0.6 instance and detailed how the pieces fit together:
- Auth bypass via URI mismatch (CVE-2026-34908 / CVE-2026-34909) — the authentication layer evaluates the raw request URI while Nginx routes on a normalized version. A request that looks auth-exempt in raw form but resolves to a protected internal route after normalization slips past authentication and reaches backend services.
- Command injection (CVE-2026-34910) — once inside, the attacker hits the package-update endpoint and injects shell commands through the unvalidated package name.
- Trivial root — the injected commands run under a highly privileged service account with passwordless
sudoto several binaries, so escalating from that account to a full root shell is trivial. - Result: Bishop Fox confirmed a root shell with no credentials, no user interaction and no prior access. They published a free detection script but did not release a working exploit.
Root on the appliance is administrative control over everything the console governs.
Am I affected?
Affected if you run UniFi OS Server 5.0.6 or earlier. Exploitation requires network access to the appliance — and a UniFi OS Server is, by design, the centrally-integrated management plane for network infrastructure, so a compromise is a strong lateral-movement foothold.
| Item | Detail |
|---|---|
| Affected | Ubiquiti UniFi OS Server 5.0.6 and earlier |
| The chain | CVE-2026-34908 (access control / auth bypass) + CVE-2026-34909 (path traversal) + CVE-2026-34910 (command injection) — all CVSS 10.0 |
| Auth-required variant | CVE-2026-33000 (CVSS 9.1) |
| Access required | Network access; no credentials / no user interaction for the full chain |
| Impact | Unauthenticated remote code execution → root; full device + management-plane takeover; lateral movement |
| Fix | Upgrade to UniFi OS Server 5.0.8 or later (also 5.1.10 / 5.1.11 / 5.1.12). The chain does not work on 5.0.8. |
Detection & hunting
Patching closes the door but doesn't tell you whether someone already walked through it. Bishop Fox shipped a free, non-destructive detection script (it sends a crafted request that reaches the vulnerable code path without running dangerous commands). For exploitation hunting, watch for:
- Requests containing
/api/auth/validate-sso/(the raw-URI prefix used to slip past auth). - Requests to
ucs/update/latest_package, suspicious child processes underucs-update, and unexpectedsudoinvocations. - New / unexpected administrator accounts (reported abuse created one named 'John Sim').
- Run Bishop Fox's vulnerability check: github.com/BishopFox/CVE-2026-34908-check — note it flags vulnerability, not past compromise or persistence.
# Hunt indicators (Bishop Fox)
# 1) auth-bypass probe in access logs:
/api/auth/validate-sso/... # raw URI that normalizes to a protected route
# 2) command-injection target:
ucs/update/latest_package # package-update endpoint
# 3) post-exploitation:
child processes under 'ucs-update' + unexpected 'sudo' calls; new admin accountsWhat to do now
- Upgrade UniFi OS Server to 5.0.8 or later immediately — but install it on a system you've confirmed isn't already compromised.
- Restrict management access — keep the UniFi OS management interface off the public internet and limited to trusted networks.
- Hunt before trusting the patch — KEV-listed and unauth means assume-breach: review logs for the indicators above and any rogue admin accounts.
- Run the Bishop Fox check to confirm exposure, and rebuild rather than 'clean' any box you find evidence of compromise on (anti-forensics and backdoors are plausible).