CVE-2026-22557 scored the maximum possible severity rating. No login required. No user interaction needed. If you run an unpatched UniFi controller, someone with network access can take it over.
A perfect 10. In the CVSS vulnerability scoring system — which security teams use to prioritize what gets fixed first — 10.0 is the maximum. It means the math worked out as badly as possible for defenders: the attack is simple, requires no authentication, needs no help from a user, and gives the attacker full control of the target. CVE-2026-22557 in the UniFi Network Application hit every one of those marks.
Ubiquiti pushed emergency fixes in March 2026. The patch has been available for months. But Cybernews scans show thousands of UniFi controllers still running vulnerable versions — and the organizations least likely to have updated are exactly the ones WCW works with: small businesses and churches running self-hosted UniFi setups that were configured once and then largely left alone.
CVE-2026-22557 is a path traversal vulnerability. In plain terms: the UniFi Network Application doesn't properly validate file paths in certain requests, which lets an attacker read files on the underlying system that the application shouldn't be exposing. By reading specific configuration and credential files, an attacker can take over an admin account — without ever having logged in.
The attack chain is short. An attacker with any kind of access to the network where the UniFi controller lives — the local LAN, a compromised device on the network, or in cases where controllers are exposed to the internet, from anywhere — sends a specially crafted request to the controller. No login prompt. No user needs to click anything. The controller hands back information that lets the attacker authenticate as an administrator.
From there, the attacker has full control of your UniFi deployment: they can see every connected device, modify network configuration, create or delete VLANs, adjust firewall rules, and pivot through the network as they see fit.
CVE-2026-22557 isn't the only flaw Ubiquiti patched in this update. A second vulnerability — CVSS 7.7, still serious — is an authenticated NoSQL injection bug. It requires a valid session to exploit, but once an attacker has one (easily obtained via the first flaw), they can use it to escalate privileges beyond what the account normally allows.
The two vulnerabilities work together cleanly: the path traversal gets you in, the NoSQL injection expands what you can do once you're there. Together they represent a complete account takeover chain that starts from zero — no credentials, no foothold required.
All versions of the UniFi Network Application released before March 18, 2026 are vulnerable. That's a wide net.
| Deployment Type | Vulnerable Through | Safe Version |
|---|---|---|
| UniFi Network App (Official Release) | ≤ 10.1.85 | 10.1.89 or later |
| UniFi Network App (Release Candidate) | ≤ 10.2.93 | 10.2.97 or later |
| UniFi Express (UX) | ≤ 9.0.114 | Firmware 4.0.13 or later |
To check your version: log into your UniFi Network controller, go to Settings → System → Application Configuration. The current version is displayed there. If it's below the safe thresholds above, you need to update.
The update path depends on how your controller is deployed. UniFi Cloud Key and UniFi Dream Machine appliances can update through the device's own interface. Self-hosted controllers running on a server or Windows machine require a manual installer update — they don't auto-update.
"The organizations least likely to have updated are exactly the ones who configured their UniFi deployment once and left it alone. That's not negligence — it's how small office IT usually works. But it's also why this matters."
UniFi is popular with small businesses and churches for good reasons. It's well-designed, it's reliable once deployed, and it doesn't require constant attention to keep running. The problem is that "doesn't need attention" often slides into "nobody checks it for months." The network keeps working fine. Devices stay connected. Nobody looks at the controller.
That pattern — deploy it, it works, forget it — is exactly the environment where a vulnerability like CVE-2026-22557 sits unpatched the longest. The people most at risk aren't the ones running managed IT services with regular maintenance windows. They're the ones with a UniFi Dream Machine in a closet that a volunteer set up two years ago and hasn't been touched since.
UniFi updates aren't disruptive. The controller can be updated with no downtime for connected devices. There's no reason to defer this one. The only question is whether anyone knows the update is needed.
If you're running a self-hosted controller and can't update immediately — maintenance window constraints, access issues, whatever the reason — there's one mitigation worth implementing while you get it scheduled:
Restrict access to the controller to a management VLAN. If the UniFi Network Application isn't reachable from your general staff or guest networks, the attack surface shrinks significantly. The vulnerability requires network access to the controller; no network path, no exploit. This isn't a fix, but it reduces exposure while you arrange the update.
If you have clients or staff managing UniFi deployments that you haven't audited recently, this is a good reason to do that now. The fix takes minutes. The exposure from leaving it unpatched is significant — and as we've written about with IoT devices and botnet recruitment, network equipment that's compromised doesn't just affect you. It can be turned against others.
The update is available. The versions are clear. The only thing standing between you and a patched controller is the 15 minutes it takes to apply it.
WCW manages UniFi deployments for small businesses and churches across Southwest Ohio — firmware current, configurations reviewed, vulnerabilities caught before they become incidents.
📅 Book a Free Consultation Get in Touch