CVE-2020-8267

Name: CVE-2020-8267
Creator: NVD / NIST
Published: 2020-11-05T19:15:13.96+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 1.25%

Last modified Jun 17, 2026

CVE-2020-8267 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. A security issue was found in UniFi Protect controller v1.14.10 and earlier.The authentication in the UniFi Protect controller API was using “x-token” improperly, allowing attackers to use the API to send authenticated messages without a valid token.This vulnerability was fixed in UniFi Protect v1.14.11 and newer.This issue does not impact UniFi Cloud Key Gen 2 plus.This issue does not impact UDM-Pro customers with UniFi Protect stopped.Affected Products:UDM-Pro firmware 1.7.2 and earlier.UNVR firmware 1.3.12 and earlier.Mitigation:Update UniFi Protect to v1.14.11 or newer version; the UniFi Protect controller can be updated through your UniFi OS settings.Alternatively, you can update UNVR and UDM-Pro to:- UNVR firmware to 1.3.15 or newer.- UDM-Pro firmware to 1.8.0 or newer.. EPSS estimates a 1.25% chance of exploitation in the next 30 days.

Description

A security issue was found in UniFi Protect controller v1.14.10 and earlier.The authentication in the UniFi Protect controller API was using “x-token” improperly, allowing attackers to use the API to send authenticated messages without a valid token.This vulnerability was fixed in UniFi Protect v1.14.11 and newer.This issue does not impact UniFi Cloud Key Gen 2 plus.This issue does not impact UDM-Pro customers with UniFi Protect stopped.Affected Products:UDM-Pro firmware 1.7.2 and earlier.UNVR firmware 1.3.12 and earlier.Mitigation:Update UniFi Protect to v1.14.11 or newer version; the UniFi Protect controller can be updated through your UniFi OS settings.Alternatively, you can update UNVR and UDM-Pro to:- UNVR firmware to 1.3.15 or newer.- UDM-Pro firmware to 1.8.0 or newer.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Probability

1.25%

65.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Ui	Unifi Protect Firmware	<= 1.14.10

References

https://community.ui.com/releases/UniFi-Dream-Machine-Firmware-1-8-0/deabc255-a081-49ba-8f51-131f3a13000aPatch, Vendor Advisory
https://community.ui.com/releases/UniFi-Protect-1-14-11/928e6fac-afeb-49c2-93a5-1b3066bf2bbfRelease Notes, Vendor Advisory
https://community.ui.com/releases/UniFi-Protect-NVR-Firmware-1-3-15/c2a783a6-c996-43d9-ab95-8c97ae05a98fPatch, Vendor Advisory
https://community.ui.com/releases/UniFi-Dream-Machine-Firmware-1-8-0/deabc255-a081-49ba-8f51-131f3a13000aPatch, Vendor Advisory
https://community.ui.com/releases/UniFi-Protect-1-14-11/928e6fac-afeb-49c2-93a5-1b3066bf2bbfRelease Notes, Vendor Advisory
https://community.ui.com/releases/UniFi-Protect-NVR-Firmware-1-3-15/c2a783a6-c996-43d9-ab95-8c97ae05a98fPatch, Vendor Advisory

Timeline

Published: Nov 5, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-8267?

How severe is CVE-2020-8267?

CVE-2020-8267 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 1.25% probability of exploitation in the next 30 days.

How do I fix CVE-2020-8267?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-8267?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST