
Ubiquiti patches seven UniFi OS flaws, including a critical UniFi Connect command-injection risk
Ubiquiti released security updates to fix seven critical UniFi OS vulnerabilities, including CVE-2026-50746 in the UniFi Connect App that could allow command injection; users should upgrade the UniFi Connect app to version 3.4.20+ and apply patches across UniFi Talk, UniFi Access, UniFi Protect, and the UniFi OS Server. The company notes several flaws can be exploited in low-complexity attacks with no user interaction. Threats note that more than 100,000 UniFi OS instances are exposed online (per Censys), though it isn’t clear how many are patched, honeypots, or otherwise secured. The report also references past CISA/FBI warnings and demonstrations of exploitation techniques in related Ubiquiti products.
