CVE-2026-0629 HIGH

CVE-2026-0629: Authentication Bypass in Password Recovery Feature via Local Web App on Multiple VIGI Cameras

Vendor Tp-Link Systems Inc.
Product VIGI InSight Sx45 Series (S245/S345/S445)
Weakness CWE-287 · Improper authentication
Published January 16, 2026
Last update February 26, 2026

CVSS base score

8.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security.

Key dates

02Disclosure timeline

January 16, 2026 CVE published
February 26, 2026 Record updated

Related vulnerabilities

04Related CVE