CVE-2026-0653

MEDIUM

TP-Link Tapo C260 v1 < 1.1.9 and D235 v1 < 1.2.2 - Authenticated Improper Access Control via Synchronization Endpoint

Title source: llm

Description

On TP-Link Tapo C260 v1 and D235 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.

References (4)

Core 4

Core References

Product patch

https://www.tp-link.com/us/support/download/tapo-c260/v1/

Product patch

https://www.tp-link.com/en/support/download/tapo-c260/v1/

Vendor Advisory vendor-advisory

https://www.tp-link.com/us/support/faq/4960/

Various Sources patch

https://www.tp-link.com/en/support/download/tapo-d235/

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 20.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (3)

tp-link/tapo_c260_firmware < 1.1.9

TP-Link Systems Inc./Tapo C260 v1 < 1.1.9 Build 251226 Rel.55870n

TP-Link Systems Inc./Tapo D235 v1 < 1.2.2 Build 260210 Rel.27165n

Published Feb 10, 2026

Tracked Since Feb 18, 2026