← Back to Blog

Do I Need to Patch My UniFi Controller for CVE-2026-22557?

5 min read Matt Gavin
Do I Need to Patch My UniFi Controller for CVE-2026-22557?

🔭 Scout's Take

Ubiquiti disclosed a max-severity vulnerability in the UniFi Network Application on March 18th. If you're running version 10.1.85 or earlier, an unauthenticated attacker can take over your admin account. This post covers what the flaw does, why you probably didn't hear about it in time, and the five things to do right now.

Yes. Update to UniFi Network Application version 10.1.89 or later right now. If you're on 10.1.85 or earlier, an unauthenticated attacker with network access can traverse the file system, access sensitive files, and take over your admin account. No credentials needed. No user interaction. Ubiquiti gave it a maximum severity rating.

A second vulnerability patched the same day allows authenticated users to escalate privileges through NoSQL injection. Both are fixed in 10.1.89+.

If you haven't updated yet, do that before you keep reading.

What Does This Vulnerability Actually Do?

CVE-2026-22557 is a path traversal flaw. An attacker with access to the network where your UniFi controller lives can request files outside the application's intended directory. Those files can be used to compromise an admin account on the controller itself.

Once someone owns your UniFi admin account, they control your network: firewall rules, VLANs, DNS settings, port forwarding, connected device visibility, everything. For a business running UniFi, that's full infrastructure compromise from a single unpatched application.

Censys is tracking nearly 29,000 UniFi Network Application endpoints exposed directly to the internet, almost all in the United States. If your controller is internet-facing, the attacker doesn't even need to be on your local network.

How Would I Even Know About This?

That's the problem. I manage multiple UniFi deployments: a UDM Pro at home, work networks, and self-hosted controllers for other organizations. I'm logged into one controller or another almost every day.

When I checked unifi.ui.com, the cloud controller flagged the CVE and told me a patch was available. My UDM Pro at home showed nothing. No alert, no badge, no indication anything was wrong. I had to force the update script before it even recognized the update existed.

I pushed the patch across every controller I manage at 6 AM on a Friday, about four days after Ubiquiti's disclosure. I caught it because I'm obsessive about this stuff. If I weren't already in the habit of checking controllers daily, I'm not confident the automatic update process would have flagged it fast enough.

Most of those 29,000 exposed controllers aren't managed by someone checking dashboards every morning. They're small businesses that set up UniFi because it was affordable and capable, configured remote access at some point, and moved on. They don't read security advisories. The notification path for them is basically nonexistent.

Is This Just a UniFi Problem?

No. I deal with the same pattern at work on our NetSapiens platform. They've been releasing security patches in "waves" on their current LTS version. It's a grind, but it's the reality of running anything in production.

You have to assume everything has a flaw somewhere. It's a matter of time until someone finds it. That's not cynicism, it's how you operate production infrastructure without getting caught off guard. The question isn't whether your gear has vulnerabilities. It's whether you have a process to find out and patch them before someone else does.

Unless you're sitting there actively looking for vulnerabilities, you never really know what's exposed. That's a lousy position to be in as an administrator, but it's the reality.

This is the second time in recent years Ubiquiti hardware has made security headlines. In February 2024, the FBI took down a botnet of hacked Ubiquiti Edge OS routers that Russian intelligence was using to proxy attack traffic. The gear is solid. The patching and notification experience needs work.

What Should I Do Right Now?

  1. Check your version. Open the UniFi Network Application. Anything on 10.1.85 or earlier is vulnerable.
  2. Update to 10.1.89 or later. If the update isn't showing, force a manual check or run the update script directly. Don't wait for it to auto-detect.
  3. Check whether your controller is internet-accessible. If it is without a specific reason, close the port. Use unifi.ui.com or a VPN for remote management instead.
  4. Check every deployment you manage. Don't assume they all auto-updated. Mine didn't.
  5. Bookmark Ubiquiti's security advisories. There's no reliable push notification for critical patches. You have to go looking.

Managing multiple UniFi deployments and need help staying on top of security patches? Let's talk.

Get in Touch

Related Posts

Why You Should Plan Your VLAN Layout Before You Deploy a Single Switch

March 11, 2026 · 7 min read

Retrofitting VLANs onto a flat network is painful and expensive. Plan your segmentation before you deploy, not after something breaks.

Unifi Network Segmentation

Should SMBs Buy UniFi Gear at Micro Center, or Go Through a Proper Channel?

March 4, 2026 · 5 min read

Retail UniFi buys look easy, but SMB networks usually cost less and fail less when gear is sized and sourced through a real channel partner.

Unifi Network Segmentation

Why Is the AI You Get at Work Worse Than the One on Your Phone?

February 22, 2026 · 5 min read

Nobody in leadership understands AI tools well enough to make good decisions. That role barely exists yet. Here's what natural adoption looks like vs. mandated compliance theater.

Unifi Network Segmentation