CVE-2026-34908
is CVE-2026-34908real, exploitable, or a false positive? Here's the community verdict.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.
References
Published
Embed this verdict
[](https://www.truepositive.app/cve/CVE-2026-34908)<a href="https://www.truepositive.app/cve/CVE-2026-34908"><img src="https://www.truepositive.app/cve/CVE-2026-34908/badge.svg" alt="TruePositive verdict for CVE-2026-34908"></a>Live badge that updates automatically as the community verdict changes.
Community ground truth
In your experience, is this finding real and exploitable?
1 verdictIncludes TruePositive's curated baseline from public sources. Community verdicts accrue on top.
No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.
In line with its CVSS base score.
Field notes & remediation
Verdicts are the quick signal. Notes are the evidence and fixes behind them.
- 0
Ubiquiti UniFi OS Improper Access Control Vulnerability — Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system. Listed in the CISA KEV catalog (added 2026-06-23) — confirmed exploited in the wild, not theoretical. FIRST EPSS puts the chance of exploitation in the next 30 days at ~1%. Treat it as real and prioritize remediation over triage.
- 0
Required action for Ubiquiti UniFi OS: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. CISA set a federal remediation due date of 2026-06-26. After patching, verify the vulnerable path is no longer reachable before closing the finding.
Add a field note or remediationoptional
Related CVEs
Same weakness: CWE-284.
- CVE-2023-27350CVSS 9.8KEVEPSS 100%
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
- CVE-2015-1427CVSS 9.8KEVEPSS 100%
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
- CVE-2019-1653CVSS 7.5KEVEPSS 100%
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
- CVE-2023-23752CVSS 5.3KEVEPSS 100%
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
- CVE-2023-29298CVSS 7.5KEVEPSS 100%
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
- CVE-2023-38205CVSS 7.5KEVEPSS 100%
Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.