Hassio Unifi Network Application hotfix

GUIDE.md

HA OS UniFi Add-on - Temporary Hotfix (CVE-2026-22557 & CVE-2026-22558)

This is a quick image-cache hijacking workaround to patch the local container without migrating volumes or waiting for the upstream release. It restores the s6-overlay entrypoint correctly so the add-on boots normally.

The Supervisor will automatically wipe this custom image and pull the official one once the maintainers release the patched update.

Prerequisites:

1. SSH access to the HA OS host on port 22222. (refer to the docs https://developers.home-assistant.io/docs/operating-system/debugging/#enabling-ssh-access-to-the-host )

2. Stop the UniFi add-on from the Home Assistant UI.

Step 1: Spawn a dummy container

(Note: Check your architecture and tag with docker images | grep unifi. This example uses aarch64 and tag 5.0.0)

# Run an interactive container bypassing the s6-overlay init system
docker run -it --name unifi_hotfix --entrypoint /bin/bash ghcr.io/hassio-addons/unifi/aarch64:5.0.0

Step 2: Inject JRE 25 and apply the patch (Inside the container)

# Install base dependencies
apt-get update && apt-get install -y wget apt-transport-https gnupg

# Add Adoptium GPG key and repo for Ubuntu 20.04 (Focal)
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 843C48A565F8F04B
gpg --export 843C48A565F8F04B > /etc/apt/trusted.gpg.d/adoptium.gpg
echo "deb https://packages.adoptium.net/artifactory/deb focal main" > /etc/apt/sources.list.d/adoptium.list

# Install JRE 25
apt-get update && apt-get install -y temurin-25-jre

# Download the new version of Unifi Network Application:
curl https://dl.ui.com/unifi/10.2.105-2yiwv9j6z9/unifi_sysvinit_all.deb -o /tmp/unifi.deb

# Install the new version
dpkg -i /tmp/unifi.deb

# Exit the container shell
exit

Step 3: Commit and restore the entrypoint

# Overwrite the cached image and re-inject the s6-overlay entrypoint (/init)
docker commit -c 'ENTRYPOINT ["/init"]' -c 'CMD []' unifi_hotfix ghcr.io/hassio-addons/unifi/aarch64:5.0.0

Step 4: Cleanup and boot

# Remove the dummy container
docker rm unifi_hotfix

Finally, go back to the Home Assistant UI and Start the add-on.

first of all, THANK YOU! I could not have managed this on my own, and the vulnerabilities released require immediate action.
One note: the line
echo "deb [https://packages.adoptium.net/artifactory/deb](https://packages.adoptium.net/artifactory/deb) focal main" > /etc/apt/sources.list.d/adoptium.list

should probably be
echo "deb https://packages.adoptium.net/artifactory/deb focal main" > /etc/apt/sources.list.d/adoptium.list

I copied your command and had to delete the file and try again with the altered line I added.

first of all, THANK YOU! I could not have managed this on my own, and the vulnerabilities released require immediate action. One note: the line echo "deb [https://packages.adoptium.net/artifactory/deb](https://packages.adoptium.net/artifactory/deb) focal main" > /etc/apt/sources.list.d/adoptium.list

should probably be echo "deb https://packages.adoptium.net/artifactory/deb focal main" > /etc/apt/sources.list.d/adoptium.list

I copied your command and had to delete the file and try again with the altered line I added.

Thank you for the feedback and you're right, it was a copy paste problem with my markdown editor.

I've corrected the gist for future users

Thanks also for putting this together!

Thanks for this!

Is there a reason why you're using the Ubuntu keyserver for the Adoptium signing key? Their instructions say to download the key from their Artifactory server and save it directly to /etc/apt/trusted.gpg.d/adoptium.gpg using the following commands:

wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor | tee /etc/apt/trusted.gpg.d/adoptium.gpg > /dev/null
echo "deb https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list

Aside from that, this is fantastic and I really appreciate you sharing it! I've been able to update my version to 10.1.89 to patch the CVEs.

Is there a reason why you're using the Ubuntu keyserver for the Adoptium signing key?

Sorry for the late reply.
No, no particular reason, I often use the system one and being the image based on ubuntu i used that, but you can choose whatever fits your preference.

I just updated the url to https://dl.ui.com/unifi/10.2.105-2yiwv9j6z9/unifi-native_sysvinit.deb to get the current version...

e.g.,

# Download the new version of Unifi Network Application:
curl https://dl.ui.com/unifi/10.2.105-2yiwv9j6z9/unifi-native_sysvinit.deb -o /tmp/unifi.deb

I just updated the url to https://dl.ui.com/unifi/10.2.105-2yiwv9j6z9/unifi-native_sysvinit.deb to get the current version...

e.g.,

# Download the new version of Unifi Network Application:
curl https://dl.ui.com/unifi/10.2.105-2yiwv9j6z9/unifi-native_sysvinit.deb -o /tmp/unifi.deb

I updated the guide, thank you!