CVE-2026-24427 MEDIUM

CVE-2026-24427: Tenda AC7 Exposes Admin Credentials in Configuration Responses

Vendor Shenzhen Tenda Technology Co., Ltd.
Product Tenda AC7
Weakness CWE-201
Published February 3, 2026
Last update May 25, 2026

CVSS base score

6.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose sensitive information in web management responses. Administrative credentials, including the router and/or admin panel password, are included in plaintext within configuration response bodies. In addition, responses lack appropriate Cache-Control directives, which may permit web browsers to cache pages containing these credentials and enable subsequent disclosure to an attacker with access to the client system or browser profile.

Key dates

02Disclosure timeline

February 3, 2026 CVE published
May 25, 2026 Record updated