CVE-2026-24428 HIGH

CVE-2026-24428: Tenda W30E V2 Incorrect Authorization Allows Administrator Password Change

Vendor Shenzhen Tenda Technology Co., Ltd.

Product W30E V2

Weakness CWE-863 · Incorrect authorization

Published January 26, 2026

Last update May 14, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges.

Key dates

02Disclosure timeline

January 26, 2026 CVE published

May 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24428 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2026-24428

CWE CWE-863

CVSS 8.7 / HIGH

Affected versions