Security Advisory - Published 2026-06-25 - Unraid
Unraid web admin: restrict access and review authenticated activity
This Unraid batch affects authenticated web administration paths. Patch and restrict the admin UI, then review uploads, plugin changes, state changes, web-server process activity, and logins from networks that should not manage the server.
Affected Unraid issues
| CVE | Required access | Review | CVSS |
|---|---|---|---|
| CVE-2026-9772 | Admin | Review upload handling, plugin installs, and www-data process activity | 8.8 |
| CVE-2026-9773 | Admin | Review state changes, plugin activity, and web-server process activity | 8.8 |
Owner self-check
cat /etc/unraid-version 2>/dev/null
last -a | head -80
find /boot/config/plugins /var/log -type f -mtime -14 2>/dev/null | head -120
grep -Rni 'login\\|upload\\|plugin\\|state\\|www-data\\|error\\|warning' /var/log /boot/logs 2>/dev/null | tail -220
ps aux | egrep 'nginx|php|www-data|emhttp' | grep -v grepWhat to review
- Whether Unraid web administration is reachable from the internet, VPN users, or shared office networks.
- Admin logins, session history, plugin installs, plugin updates, and file upload activity.
- Unexpected web-server child processes, changed state files, and files modified by the web user.
- Firewall rules, reverse proxy rules, and any temporary public access created for remote maintenance.
Safe fix path
- Apply the Unraid vendor update that covers this advisory batch.
- Restrict the web admin UI to trusted management networks before reviewing logs.
- Preserve logs and plugin lists before deleting suspicious files or restarting services.
- Rotate admin passwords and plugin credentials if web-admin activity is not fully explained.
Repair help
Use Ping7 CVE Repair when an Unraid admin panel was exposed, plugin activity changed, or web-server process activity needs review.