External risk intelligence

UniFi Protect Improper Access Control Vulnerability Allows Network Attackers to Bypass Authentication for Data Streaming

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-54408

UniFi Protect is a surveillance management application frequently deployed as an internet-accessible gateway or remote access service to allow users to stream video feeds from outside their local network.

Ui Unifi Protect

before 7.1.83

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in the UniFi Protect Application that could allow an unauthenticated attacker with network access to bypass security controls and stream data. The core issue is improper access control, which could have significant implications for data privacy and system integrity. The main concern at this stage is confirming relevance and exposure within your environment.

  • Unauthorized access to stream data is possible.
  • Protects sensitive video feeds from unauthorized viewing.
  • Confirm if UniFi Protect is in use and exposed.

Attack Path

How an attacker could exploit the issue

An attacker who can reach the UniFi Protect application over a network could bypass authentication controls. This would allow them to access and stream data that should otherwise be protected.

  • Network access required.
  • Bypasses authentication.
  • Unauthorized data streaming.

Live Threat

Current exploitation, exposure, and threat context

A malicious actor on the network could bypass authentication in the UniFi Protect Application, potentially enabling unauthorized access to data streams. This could occur when the application is deployed in a manner that exposes it to the network.

  • Unauthorized access to video streams.
  • Bypassing authentication controls.
  • Compromised surveillance data.

Operational Fix

Recommended remediation, mitigation, and detection steps

The UniFi Protect Application's Improper Access Control vulnerability requires immediate attention from teams managing network infrastructure and application deployments. Network and security teams should first identify all instances of the affected application, determine their external reachability and business criticality, and then work with application owners to prioritize remediation. The vendor-management team may also need to be engaged for coordination.

  • Network and application teams own remediation.
  • Verify external reachability and business criticality.
  • Plan for remediation during the next maintenance window.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the UniFi Protect Application?

UniFi Protect is a software platform designed for managing video surveillance systems. It serves as a centralized hub for recording, storing, and monitoring live video feeds from connected cameras. Users often deploy this application on gateways or dedicated hardware to enable remote viewing and management of their security footage from outside the local network environment.

What does Improper Access Control mean for CVE-2026-54408?

This vulnerability falls under the CWE-284 weakness class, which identifies a failure to properly restrict access to resources. In the context of CVE-2026-54408, the software fails to correctly verify the identity of a user attempting to interact with the system. This weakness allows an attacker to circumvent authentication protocols that are intended to protect sensitive data streams from unauthorized parties.

How can an attacker trigger this vulnerability?

An attacker triggers this bug by gaining network reachability to the UniFi Protect Application. No specific user interaction, such as clicking a link or logging in, is required to initiate the exploit. Simply having connectivity to the service over the network is sufficient to bypass security. Notably, the vulnerability is not triggered by local physical access or actions performed by an already authenticated administrator.

Why should I care about this vulnerability?

You should care because Halo Surface Signal indicates that UniFi Protect is frequently deployed as an internet-accessible service. This means your surveillance feeds may be exposed to the public internet, allowing any network-based attacker to stream your video data. Assessing whether your deployment is reachable from outside your local network is the most important step in understanding your specific risk.

How do I respond to CVE-2026-54408?

Your first step is to inventory all instances of UniFi Protect within your environment to identify which versions are in use. If you are running a version earlier than 7.1.83, you are affected. Prioritize checking the network reachability of these systems, specifically looking for instances exposed to the internet. Coordinate with your infrastructure teams to plan and apply the necessary updates during your next maintenance window.

References