Unrated severityNVD Advisory· Published Feb 10, 2026· Updated Mar 31, 2026

Insecure Access Control on TP-Link Tapo D235 and C260

CVE-2026-0653

Description

On TP-Link Tapo C260 v1 and D235 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.

Affected products

TP-Link/Tapo C260llm-fuzzy
TP-Link/Tapo D235llm-fuzzy
TP-Link Systems Inc./Tapo C260 v1v5
Range: 0
TP-Link Systems Inc./Tapo D235 v1v5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.tp-link.com/en/support/download/tapo-c260/v1/mitrepatch
www.tp-link.com/en/support/download/tapo-d235/mitrepatch
www.tp-link.com/us/support/download/tapo-c260/v1/mitrepatch
www.tp-link.com/us/support/faq/4960/mitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000