What is CVE-2026-47368?
CVE-2026-47368 is a path traversal vulnerability in Ubiquiti's UniFi OS, the management operating system that runs on UniFi gateways, controllers, and network appliances. The flaw stems from inadequate validation of user-supplied input when the system constructs file paths, which lets an attacker insert directory traversal sequences and resolve paths outside the intended root directory.
The vulnerability carries a CVSS v3.1 base score of 8.6 (High). Exploitation requires no authentication and no user interaction. An attacker only needs network access to a vulnerable device to reach the affected component.
Successful exploitation allows the attacker to read arbitrary files on the device, including configuration files, logs, and other sensitive application data. The impact is confined to confidentiality: the flaw exposes data rather than allowing code execution or modification. Because the affected component crosses a privilege boundary when it serves files, the scope is rated as changed.
What assets are affected by CVE-2026-47368?
The vulnerability affects a broad range of hardware and software built on UniFi OS. UniFi OS Server is affected in versions before 5.1.15. The Express line is affected before 4.0.15. The UDM family, including UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, and related gateway, router, and network video recorder appliances, is affected before 5.1.15. In total, Ubiquiti lists more than thirty affected products spanning gateways, dream machines, cloud keys, and storage appliances.
In practice, an affected asset is an internet-facing network appliance. UniFi gateways and controllers are commonly placed at the network edge to manage remote sites, branch offices, and distributed deployments. Many expose a web management interface to support remote administration, and that interface is exactly the surface a network-based attacker would reach.
These devices tend to be deployed widely and managed inconsistently. A single organization may run dozens of UniFi appliances across locations, often installed by different teams or contractors and updated on no fixed schedule. That combination of distributed deployment and uneven patching keeps vulnerable versions reachable long after a fix ships.
What does our data show about exposure patterns?
Exposure in this set is led by Industrials at 38.6% of observed assets, with Consumer Discretionary contributing 29.5%. Financials follows at 13.6%, and the remaining sectors fall into the Others bucket.
Industrials sits at the top for a reason that fits the product. Industrial organizations run distributed physical footprints: plants, depots, warehouses, and field sites that each need local network gear. UniFi appliances are a common fit for that pattern because they are affordable and easy to deploy at remote locations. The same distribution that makes them convenient also scatters management responsibility, so vulnerable devices accumulate at sites that rarely receive central oversight.
The cross-sector spread points to a familiar visibility gap. These are edge devices that get installed to solve an immediate connectivity need and then fade into the background. They are rarely tracked in a central inventory, rarely included in patch cycles, and rarely revisited until something forces attention. That is the conditions under which a network-reachable information disclosure flaw stays exploitable across an estate.
Are fixes available?
Patches are available. Ubiquiti has published fixed versions and documented them in Security Advisory Bulletin 065. UniFi OS Server is fixed in 5.1.15, the Express line is fixed in 4.0.15, and the UDM family is fixed in 5.1.15.
Because the affected products span a wide hardware range, the correct fixed version depends on the specific device. Organizations should map each appliance to its product line and confirm the target version rather than assuming a single update covers the whole estate.
Defenders should verify patch status directly against the vendor advisory for each device model. An appliance that has not checked in for updates, or that runs an older firmware train, may remain on a vulnerable version even after a fix is broadly available.
Are there any other recommended actions to take?
Until every device is confirmed patched, defenders should:
- Inventory all UniFi OS appliances and record the firmware version on each
- Restrict access to device management interfaces to trusted networks
- Block exposure of UniFi management ports from the public internet
- Monitor device logs for unusual file-access or path-traversal patterns
- Prioritize internet-facing gateways and controllers for the first patch wave
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-47368 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
