CVE-2026-3294 HIGH

CVE-2026-3294: Authentication Logic Vulnerability on Multiple TP-Link Range Extenders

Vendor Tp-Link Systems Inc.
Product Archer RE650 v1
Weakness CWE-20 · Input validation
Published May 22, 2026
Last update May 27, 2026

CVSS base score

8.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability.

Key dates

02Disclosure timeline

May 22, 2026 CVE published
May 27, 2026 Record updated