{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22564", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-07T15:39:03.440Z", "datePublished": "2026-04-13T21:28:10.865Z", "dateUpdated": "2026-04-14T13:14:19.961Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.\u2028 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028\nUniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028\nUpdate UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"}], "affected": [{"defaultStatus": "unaffected", "vendor": "Ubiquiti Inc", "product": "UniFi Play PowerAmp", "versions": [{"version": "0", "status": "affected", "lessThan": "1.0.38", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "vendor": "Ubiquiti Inc", "product": "UniFi Play Audio Port", "versions": [{"version": "0", "status": "affected", "lessThan": "1.1.9", "versionType": "semver"}]}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control - Generic"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-04-13T21:28:10.865Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22564", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T12:59:47.135052Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:19.961Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22564", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T12:59:47.135052Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:37.225Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Ubiquiti Inc", "product": "UniFi Play PowerAmp", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.38", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Ubiquiti Inc", "product": "UniFi Play Audio Port", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"}], "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.\u2028 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028\nUniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028\nUpdate UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control - Generic"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-04-13T21:28:10.865Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22564", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:19.961Z", "dateReserved": "2026-01-07T15:39:03.440Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-04-13T21:28:10.865Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.\u2028 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028\nUniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028\nUpdate UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"}], "id": "CVE-2026-22564", "lastModified": "2026-04-30T16:14:21.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-04-13T22:16:28.187", "references": [{"source": "support@hackerone.com", "url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "UniFi Play Audio Port", "source": "cna", "vendor": "Ubiquiti Inc"}, "product": "unifi_play_audio_port", "vendor": "ubiquiti"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.38)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "UniFi Play PowerAmp", "source": "cna", "vendor": "Ubiquiti Inc"}, "product": "unifi_play_poweramp", "vendor": "ubiquiti"}], "analysis": {"en": {"generated_at": "2026-04-13T22:22:10.467362+00:00", "value": {"mitigation_remediation": ["Update UniFi Play PowerAmp to version 1.0.38 or later.", "Update UniFi Play Audio Port to version 1.1.9 or later.", "If a patch cannot be applied immediately, isolate the device from the broader network or restrict SSH access to trusted hosts."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Vendor: Ubiquiti Inc. Products affected are UniFi Play PowerAmp versions 1.0.35 and earlier, and UniFi Play Audio Port versions 1.0.24 and earlier. These devices run legacy firmware releases prior to the publicly released patches.", "description_and_impact": "The vulnerability is an improper access control flaw that lets an attacker with access to the UniFi Play network enable SSH, allowing unauthorized changes to the system. This flaw is classified as CWE\u2011284. The impact is that a compromised device can execute arbitrary commands, leading to full system compromise.", "risk_and_exploitability": "The CVSS base score of 9.8 marks it as critical. The flaw can be exploited by any user with network access to a UniFi Play device, without special authentication. Because EPSS data is not available and the vulnerability is not in the KEV catalog, the primary indicator of risk is the high base score and the ease of lateral network access within a local area network. Immediate patching is strongly recommended to eliminate the elevated risk of remote code execution."}}}}, "created": "2026-04-14T16:17:14.036383+00:00", "title": "Unauthorized SSH Access via Improper Access Control on UniFi Play Devices", "updated": "2026-04-14T16:33:05.711537+00:00", "vendors": ["ubiquiti", "ubiquiti$PRODUCT$unifi_play_audio_port", "ubiquiti$PRODUCT$unifi_play_poweramp"]}