Ubiquiti Fixes CVE-2026-50746 in UniFi Connect
Ubiquiti has released fixes for multiple vulnerabilities in the UniFi ecosystem under Security Advisory Bulletin 066 (SAB-066). The highest-severity issue highlighted in public reporting is CVE-2026-50746, a critical command injection vulnerability affecting the UniFi Connect Application. The vulnerability is especially important because the CNA vector indicates network-based exploitation, low attack complexity, no required privileges, and no user interaction.
What Is CVE-2026-50746?
CVE-2026-50746 (CVSS 10.0) is an improper access control vulnerability in the UniFi Connect Application. According to NVD, a malicious actor with network access could exploit the flaw to execute command injection on the host device.
In plain terms, the application may expose functionality that should be restricted. If an attacker can reach the vulnerable service over the network, that access-control failure could lead to attacker-controlled command execution on the host running UniFi Connect.

Details of CVE-2026-50746 (SOCRadar Vulnerability Intelligence)
NVD lists the weakness as CWE-284: Improper Access Control and shows the CNA-provided vector as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Which UniFi Connect Versions Are Affected by CVE-2026-50746?
The safest remediation target is UniFi Connect Application 3.4.20 or later. NVD’s affected-version data lists UniFi Connect Application versions below 3.4.20 as affected, while the advisory lists that the issue affects 3.4.16 and earlier and says users should update to 3.4.20 or later.
Why Does This UniFi Connect Vulnerability Matter?
Command injection vulnerabilities can be high-impact because they may let attackers run commands on the underlying host. In this case, the risk depends on how the UniFi Connect Application is deployed, what privileges the service has, and what systems are reachable from that host.
CVE-2026-50746 is more urgent because the CNA metrics describe a network-accessible, low-complexity attack path with no privileges or user interaction required. Even though “network access” does not automatically mean internet exposure, it still matters for LANs, VPN-connected environments, routed administrative networks, and other reachable management paths.
Is CVE-2026-50746 Being Exploited?
Ubiquiti has not disclosed whether CVE-2026-50746 or the other SAB-066 vulnerabilities were exploited in the wild before patching. NVD’s CISA ADP SSVC data also showed exploitation: none for CVE-2026-50746 at the time of review.
No functional Proof-of-Concept (PoC) exploit has been identified in the public domain at the time of writing. However, the lack of confirmed exploitation should not lower remediation priority, because the vulnerability has a maximum CNA severity score and favorable exploitation characteristics.
How Can SOCRadar Support Vulnerability Intelligence?
When addressing critical flaws such as CVE-2026-50746, security teams must determine the extent of external exposure, monitor for potential exploitation signals, and utilize threat intelligence context to prioritize vulnerable assets within the remediation workflow.
SOCRadar’s vulnerability management capabilities support this process by helping teams track affected assets, follow remediation status, and prioritize patching with risk context.
The Cyber Threat Intelligence module adds threat context by monitoring exploit discussions, public PoC developments, threat actor interest, and emerging vulnerability-related activity. Attack Surface Management (ASM) also contributes by identifying internet-facing assets and reachable management services, helping your organization prioritize UniFi-related remediation based on real-world exposure and threat signals.

SOCRadar Vulnerability Intelligence
How Should Defenders Respond?
1. Patch UniFi Connect First
Organizations running UniFi Connect should upgrade to version 3.4.20 or later. This is the most important action for CVE-2026-50746.
Teams should confirm the update from the UniFi console or update channel, document the patched version, and prioritize any instance reachable from broad internal networks, VPN users, or external paths.
2. Reduce Management Interface Exposure
Because the vulnerability requires network reachability, reducing access to UniFi management services can lower risk while patching is underway.
Security teams should:
- Restrict UniFi management interfaces to dedicated administrative networks.
- Require VPN, a jump host, or other controlled access path where feasible.
- Use firewall rules or allowlists to limit who can reach management endpoints.
- Avoid exposing management services directly to the internet unless there is a clear business requirement.
These controls do not replace patching, but they reduce the number of paths an attacker can use to reach vulnerable services.
3. Hunt for Suspicious Host Activity
The public sources reviewed do not include vendor-provided indicators of compromise or a confirmed exploit fingerprint for CVE-2026-50746. Detection should therefore focus on behavior.
Security teams should look for:
- Unexpected child processes spawned by UniFi application processes
- Shells, scripting runtimes, or system utilities launched from application contexts
- Unusual inbound traffic to UniFi management services
- Access attempts from non-admin network segments
- Unplanned configuration changes outside maintenance windows
Any suspicious host-level activity should be correlated with network logs, authentication telemetry, and UniFi application events.
What Other UniFi CVEs Are Included in SAB-066?
Alongside CVE-2026-50746, SAB-066 covers several other critical vulnerabilities across UniFi components, affecting UniFi Talk, UniFi Access, UniFi Protect, UniFi OS Server, and several UniFi OS device families.
What Is the Current Risk?
CVE-2026-50746 should be treated as a high-priority patching item for any organization running UniFi Connect, especially where management services are reachable from broad internal networks or untrusted segments.
Confirmed exploitation has not been reported in the reviewed sources, but the combination of command injection, network reachability, no required privileges, and CVSS 10.0 makes delayed remediation risky. Security teams should upgrade UniFi Connect to 3.4.20 or later, review the broader SAB-066 patch set, restrict management-plane access, and monitor for unusual host or management-interface activity.
