CVE-2026-0653 | THREATINT

Description

On TP-Link Tapo C260 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.

PUBLISHED Reserved 2026-01-06 | Published 2026-02-10 | Updated 2026-02-11 | Assigner TPLink

HIGH: 7.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-284 Improper Access Control

Product status

Default status

unaffected

Any version before 1.1.9 Build 251226 Rel.55870n

affected

Credits

spaceraccoon finder

References

www.tp-link.com/us/support/download/tapo-c260/v1/ patch

www.tp-link.com/en/support/download/tapo-c260/v1/ patch

www.tp-link.com/us/support/faq/4960/ vendor-advisory

cve.org (CVE-2026-0653)

nvd.nist.gov (CVE-2026-0653)

Download JSON