{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22566", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-07T15:39:03.441Z", "datePublished": "2026-04-13T21:28:10.973Z", "dateUpdated": "2026-04-14T13:14:19.836Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.\u2028 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028\nUniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028\nUpdate UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"}], "affected": [{"defaultStatus": "unaffected", "vendor": "Ubiquiti Inc", "product": "UniFi Play PowerAmp", "versions": [{"version": "0", "status": "affected", "lessThan": "1.0.38", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "vendor": "Ubiquiti Inc", "product": "UniFi Play Audio Port", "versions": [{"version": "0", "status": "affected", "lessThan": "1.1.9", "versionType": "semver"}]}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control - Generic"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-04-13T21:28:10.973Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22566", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:59:25.303372Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:19.836Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22566", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:59:25.303372Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:35.166Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "Ubiquiti Inc", "product": "UniFi Play PowerAmp", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.38", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Ubiquiti Inc", "product": "UniFi Play Audio Port", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"}], "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.\u2028 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028\nUniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028\nUpdate UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control - Generic"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-04-13T21:28:10.973Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22566", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:19.836Z", "dateReserved": "2026-01-07T15:39:03.441Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-04-13T21:28:10.973Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.\u2028 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028\nUniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028\nUpdate UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"}], "id": "CVE-2026-22566", "lastModified": "2026-04-30T16:14:21.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-04-13T22:16:28.437", "references": [{"source": "support@hackerone.com", "url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "UniFi Play Audio Port", "source": "cna", "vendor": "Ubiquiti Inc"}, "product": "unifi_play_audio_port", "vendor": "ubiquiti"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.38)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "UniFi Play PowerAmp", "source": "cna", "vendor": "Ubiquiti Inc"}, "product": "unifi_play_poweramp", "vendor": "ubiquiti"}], "analysis": {"en": {"generated_at": "2026-04-13T22:51:14.943025+00:00", "value": {"mitigation_remediation": ["Update UniFi Play PowerAmp firmware to version 1.0.38 or later.", "Update UniFi Play Audio Port firmware to version 1.1.9 or later."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized disclosure of WiFi credentials"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Ubiquiti\u00a0Inc\u2019s UniFi Play PowerAmp firmware versions 1.0.35 and earlier, and UniFi Play Audio Port firmware versions 1.0.24 and earlier. The impacted devices are audio amplification appliances used in residential or small\u2011business environments.", "description_and_impact": "An improper access control flaw (CWE\u2011284) exists in Ubiquiti UniFi Play PowerAmp and Audio Port devices, allowing a malicious actor with local network access to retrieve the WiFi credentials stored on the device by bypassing authorization checks on configuration endpoints. The consequence is the exposure of sensitive authentication information that could enable unauthorized entry into the local network.", "risk_and_exploitability": "The CVSS score of 7.5 reflects a moderate to high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been widely exploited. Based on the description, it is inferred that the attack vector is a host on the same local network, as authentication is not required to retrieve the stored credentials. An attacker could simply send crafted requests to the affected device and obtain the WiFi credentials, potentially enabling further compromise of the local network."}}}}, "created": "2026-04-14T16:17:11.891690+00:00", "title": "Improper Access Control in Ubiquiti UniFi Play Devices Enables Unauthorized Retrieval of WiFi Credentials", "updated": "2026-04-14T16:33:03.274124+00:00", "vendors": ["ubiquiti", "ubiquiti$PRODUCT$unifi_play_audio_port", "ubiquiti$PRODUCT$unifi_play_poweramp"]}