CVE-2026-0653 HIGH

CVE-2026-0653: Insecure Access Control on TP-Link Tapo D235 and C260

Vendor Tp-Link Systems Inc.

Product Tapo C260 v1

Weakness CWE-284

Published February 10, 2026

Last update March 31, 2026

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

On TP-Link Tapo C260 v1 and D235 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.

Key dates

02Disclosure timeline

February 10, 2026 CVE published

March 31, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-0653 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

Identifiers

CVE CVE-2026-0653

CWE CWE-284

CVSS 7.2 / HIGH

Affected versions

Vendor Tp-Link Systems Inc.

Product Tapo C260 v1

Affected < 1.1.9 Build 251226 Rel.55870n

Vendor Tp-Link Systems Inc.

Product Tapo D235 v1

Affected < 1.2.2 Build 260210 Rel.27165n

CVE-2026-0653: Insecure Access Control on TP-Link Tapo D235 and C260

01Description

02Disclosure timeline

03References

04Related CVE