Description
On TP-Link Tapo C260 v1 and D235 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.
Published: 2026-02-10
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration modification via access control bypass
Action: Patch Now
AI Analysis

Impact

A guest‑level authenticated user on TP‑Link Tapo C260 v1 and D235 v1 can send crafted requests to a synchronization endpoint and modify protected device settings. The flaw allows unauthorized configuration changes but does not result in full code execution.

Affected Systems

TP‑Link Systems Inc. – Tapo C260 v1 and Tapo D235 v1 are susceptible to this access control weakness.

Risk and Exploitability

The vulnerability has a CVSS score of 7.2 and an EPSS of less than 1 %. It is not listed in the CISA KEV catalog. Because the attack requires a valid guest credential and network access to the device’s synchronization endpoint, exploitation is possible over the network but is considered low probability. The impact is the ability to alter device state without authorization, which undermines device integrity but does not expose other higher‑level privileges.

Generated by OpenCVE AI on April 16, 2026 at 06:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest firmware for Tapo C260 v1 and Tapo D235 v1 from the TP‑Link support site.
  • Reboot the devices to apply the firmware update and enable the fixed access control logic.
  • If guest accounts are not required, disable or delete them to eliminate the attack surface.

Generated by OpenCVE AI on April 16, 2026 at 06:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description On TP-Link Tapo C260 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution. On TP-Link Tapo C260 v1 and D235 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.
References

Fri, 13 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link tapo C260
Tp-link tapo C260 Firmware
CPEs cpe:2.3:h:tp-link:tapo_c260:1:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c260_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tp-link tapo C260
Tp-link tapo C260 Firmware
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tapo C260 V1
Vendors & Products Tp-link
Tp-link tapo C260 V1

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
Description On TP-Link Tapo C260 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.
Title Insecure Access Control on TP-Link Tapo D235 and C260
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tp-link Tapo C260 Tapo C260 Firmware Tapo C260 V1
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-03-31T14:15:13.215Z

Reserved: 2026-01-06T18:19:03.788Z

Link: CVE-2026-0653

cve-icon Vulnrichment

Updated: 2026-02-11T15:08:15.918Z

cve-icon NVD

Status : Modified

Published: 2026-02-10T18:16:22.257

Modified: 2026-03-13T19:53:56.660

Link: CVE-2026-0653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:00:10Z

Weaknesses