CVE-2026-0653 — MEDIUM (6.5)

Q: How severe is CVE-2026-0653?

CVE-2026-0653 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-0653?

Check the references section above for vendor advisories and patch information. Affected products include: Tp-Link Tapo C260 Firmware, Tp-Link Tapo C260.

Vulnerability Description

On TP-Link Tapo C260 v1 and D235 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Tp-Link	Tapo C260 Firmware	< 1.1.9
Tp-Link	Tapo C260	1

Related Weaknesses (CWE)

CWE-284

References

FAQ

What is CVE-2026-0653?

CVE-2026-0653 is a vulnerability with a CVSS score of 6.5 (MEDIUM). On TP-Link Tapo C260 v1 and D235 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of pro...

How severe is CVE-2026-0653?

CVE-2026-0653 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-0653?

Check the references section above for vendor advisories and patch information. Affected products include: Tp-Link Tapo C260 Firmware, Tp-Link Tapo C260.