CVE-2026-22557

CRITICAL NUCLEI

UniFi Network Application 9.0.118-10.1.89, 10.2.97 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2026-22557. PoCs published by adminlove520, SecureWithUmer, gagaltotal. A Nuclei detection template is also available.

AI-analyzed exploit summary This Python script tests for CVE-2026-22557, a critical unauthenticated path traversal vulnerability in Ubiquiti UniFi Network Application. The script sends crafted HTTP requests with directory traversal payloads to common UniFi API endpoints to detect potential file read access (e.g., /etc/passwd).

Description

A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account.

Exploits (7)

github SCANNER
by SecureWithUmer · c++poc
https://github.com/SecureWithUmer/CVE-2026-PoCs/tree/main/2026/CVE-2026-22557

This Python script tests for CVE-2026-22557, a critical unauthenticated path traversal vulnerability in Ubiquiti UniFi Network Application. The script sends crafted HTTP requests with directory traversal payloads to common UniFi API endpoints to detect potential file read access (e.g., /etc/passwd).

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Racy
Target: Ubiquiti UniFi Network Application (versions ≤ 10.1.85 and ≤ 10.2.93)
No auth needed
Prerequisites: Network access to the UniFi Network Application interface · Target must be running a vulnerable version of the software
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
github SCANNER
by gagaltotal · gopoc
https://github.com/gagaltotal/CVE-2026-22557-Path-Traversal-Ubiquti-UniFi

This repository contains a Go-based scanner for CVE-2026-22557, targeting path traversal vulnerabilities in the UniFi Network Application. The tool tests multiple endpoints with various traversal payloads to detect potential vulnerabilities without exploiting them.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: UniFi Network Application
No auth needed
Prerequisites: network access to the target system · Go 1.21 or newer
mistral-large-3 · analyzed Jun 30, 2026 Full analysis →
github SCANNER
by BishopFox · pythonpoc
https://github.com/BishopFox/CVE-2026-22557-check

This repository contains a detection tool for CVE-2026-22557, an unauthenticated path-traversal vulnerability in UniFi Network Application's guest captive portal. The tool checks for vulnerability by probing the `page_error` parameter and determining if the traversal fires, without exploiting the vulnerability.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: UniFi Network Application (versions 10.1.85 and earlier, 10.2.x and 9.0.x branches)
No auth needed
Prerequisites: Access to the UniFi Network controller's guest portal endpoint
mistral-large-3 · analyzed May 30, 2026 Full analysis →
nomisec WORKING POC
by ThePotatoOfDoom · poc
https://github.com/ThePotatoOfDoom/CVE-2026-22557-PoC

The repository contains a functional Python exploit for CVE-2026-22557, a pre-authentication path traversal vulnerability in the UniFi Network Application guest portal. The exploit leverages the `page_error` query parameter to read arbitrary files from the web application context, potentially extending to system files under specific conditions.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: UniFi Network Application (guest portal)
No auth needed
Prerequisites: Access to the guest portal endpoint · Target running vulnerable UniFi Network Application
mistral-large-3 · analyzed Apr 12, 2026 Full analysis →
nomisec SCANNER
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-22557

The repository contains a Python script that tests for CVE-2026-22557, a critical path traversal vulnerability in Ubiquiti UniFi Network Application. It sends HTTP requests with various traversal payloads to detect potential vulnerabilities but does not exploit them.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ubiquiti UniFi Network Application (≤ 10.1.85, ≤ 10.2.93)
No auth needed
Prerequisites: Network access to the target UniFi controller
mistral-large-3 · analyzed Apr 09, 2026 Full analysis →
nomisec SCANNER
by GarethMSheldon · poc
https://github.com/GarethMSheldon/cve-2026-22557-unifi-detection

This repository provides a detection script and SIEM rules for identifying CVE-2026-22557, a path traversal vulnerability in Ubiquiti UniFi Network Application. It includes version checks, log scanning, and network exposure tests but does not contain exploit code.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Ubiquiti UniFi Network Application < 10.1.89, < 10.2.97, < 9.0.118
No auth needed
Prerequisites: access to UniFi logs or network interface
mistral-large-3 · analyzed Mar 23, 2026 Full analysis →

Nuclei Templates (1)

UniFi Network Application - Path Traversal
CRITICALVERIFIEDby Aryu-RU
Shodan: http.title:"UniFi Network"
FOFA: title="UniFi Network"

Scores

CVSS v3 10.0
EPSS 0.1560
EPSS Percentile 96.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-22
Status published
Products (3)
Ubiquiti Inc/UniFi Network Application 10.1.89
Ubiquiti Inc/UniFi Network Application 10.2.97
Ubiquiti Inc/UniFi Network Application 9.0.118
Published Mar 19, 2026
Tracked Since Mar 19, 2026