Attackers can chain three already fixed vulnerabilities in the Ubiquiti UniFi OS server to execute remote code with root privileges and without authentication.

The security issues are tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. They have been addressed in May and impact UniFi OS Server versions 5.0.6 and earlier.

While all three flaws received the maximum severity rating despite their exploitation requiring access to the network, the vendor's advisory did not mention that they could be chained for remote code execution.

• CVE-2026-34908 is an improper access control flaw that can allow unauthorized changes to vulnerable systems
• CVE-2026-34909 is a path traversal vulnerability that can expose files on the underlying operating system
• CVE-2026-34910 is a command injection flaw that can be exploited to execute commands on affected devices

Additional technical details from Bishop Fox researchers, who validated the complete attack path on a live UniFi OS Server 5.0.6 instance, show that CVE-2026-34908 and CVE-2026-34909 can be used to bypass authentication and reach a vulnerable endpoint, where CVE-2026-34910 enables command injection.

Although the injected commands do not initially run as root, the researchers found that the affected service account's sudo privileges make privilege escalation trivial.

According to Bishop Fox, no credentials, user interaction, or prior access are required to obtain a root shell on the target.

“A UniFi OS Server is not a generic Linux box; it is the management plane for an organization’s network, including, where those devices are deployed, its physical-access doors, surveillance cameras, and the identities tied to them,” explains Bishop Fox.

“Root on the appliance is administrative control over everything the console governs.”

Root cause and exploit chain

The root cause of the authentication bypass is a mismatch between how UniFi OS validates and routes incoming requests.

Specifically, the authentication component evaluates the raw request URI, while Nginx routes requests based on a normalized version of the same URI.

By crafting requests that appear to target an authentication-exempt endpoint in their raw form but resolve to protected internal routes after normalization, attackers can bypass authentication and reach backend services that should not be publicly accessible.

Once inside, the attackers can target a package-update endpoint with CVE-2026-34910, passing unvalidated user input into a shell command to execute arbitrary commands on the system.

The injected commands execute under a highly privileged service account with passwordless sudo access to several system binaries, making escalation to root trivial.

Although the researchers validated the RCE chain, they did not share the full details or a working proof of concept (PoC).

Detection tool available

Bishop Fox has released a free detection script to help defenders discover if their instance is vulnerable to the unauthenticated RCE chain.

It does this by safely sending a specially crafted request that reaches the vulnerable code path without executing any dangerous commands, and then classifying the target as “vulnerable,” “patched,” “unaffected,” or “inconclusive.”

However, it is important to note that the script does not detect active attacks, whether exploitation has occurred in the past, or if persistence mechanisms or backdoors are present on the target.

The researchers note that identifying previous exploitation may be challenging because the attack does not require authentication.

“The chain reaches root (we confirmed it) with no credentials and no user interaction, so there is no failed-login trail to look for,” warns Bishop Fox.

Apart from the tool, defenders can also look for requests containing ‘/api/auth/validate-sso/’ and monitor requests to ‘ucs/update/latest_package,’ suspicious child processes under ‘ucs-update,’ and unexpected sudo commands.

Bishop Fox confirmed that the attack chain doesn’t work on UniFi OS Server 5.0.8, so users should upgrade to this release or later.

However, organizations should confirm that the update is installed on a system that has not been compromised.