External risk intelligence

UniFi Talk SQL Injection Privilege Escalation

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-50747

The UniFi Talk application is typically managed within a local network or via a dedicated controller, rather than being exposed directly to the public internet as a primary edge service. While network-reachable in some environments, it usually resides behind internal controls or VPNs, making direct public internet exposure uncommon in typical deployments.

SQL Injection

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in UniFi Talk Application that could allow a low-privilege attacker with network access to gain higher privileges on a host device. This SQL injection vulnerability requires the attacker to be on the same network and have some level of authenticated access to exploit.

  • Attackers can gain higher access to devices.
  • Critical vulnerability in UniFi Talk Application.
  • Assess relevance to internal network security.

Attack Path

How an attacker could exploit the issue

An attacker with network access and low-level privileges could exploit SQL injection flaws within the UniFi Talk Application. This could allow them to elevate their privileges on the targeted device.

  • Network access and low privileges required.
  • Authenticated SQL injection in UniFi Talk.
  • Privilege escalation on host device.

Live Threat

Current exploitation, exposure, and threat context

A malicious actor with network access and low privileges could exploit authenticated SQL injection vulnerabilities in the UniFi Talk Application. When supported by the advisory, this could allow for privilege escalation on the host device, potentially impacting the confidentiality, integrity, and availability of the system.

  • System host device.
  • Exploiting authenticated SQL injection.
  • Privilege escalation on host.

Operational Fix

Recommended remediation, mitigation, and detection steps

System administrators and application owners are likely responsible for addressing this critical SQL injection vulnerability in the UniFi Talk Application. The first practical step is to identify all instances of the UniFi Talk Application, determine their network reachability and business criticality, and then assign ownership for remediation.

  • Application owners should manage the issue.
  • Verify network exposure and business criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the UniFi Talk Application?

UniFi Talk is a VoIP phone system application managed through UniFi consoles. It handles telephony features like phone numbers, contacts, and call routing for organizations. Users interact with it to configure their desk phones and manage communication services within their UniFi network environment.

What does SQL injection mean in the context of CVE-2026-50747?

This vulnerability is classified as CWE-89, or Improper Neutralization of Special Elements used in an SQL Command. It means an attacker can submit crafted input that the application mistakenly processes as a database command. For this CVE, that flaw allows an attacker to manipulate the database to elevate their account privileges to a higher level on the host device.

How can an attacker trigger this vulnerability?

An attacker must have network access and a valid, low-privilege user account on the UniFi Talk system. The vulnerability is not triggered by public or anonymous users without login credentials. It specifically requires an authenticated session to interact with the vulnerable backend database functions.

Is my deployment at risk according to Halo Surface Signal?

Halo Surface Signal labels this risk as Unlikely because UniFi Talk typically operates behind internal network controls or VPNs. It is rarely exposed directly to the public internet. However, those on the same internal network as the controller should still evaluate their security posture.

What should I do if I run UniFi Talk?

Begin by inventorying all systems running the UniFi Talk application in your environment. Confirm which devices have network access to these controllers. Once identified, monitor for official security updates from the vendor to resolve the flaw and coordinate with your team to plan and apply the necessary patches.

References