CVE-2026-0653

Name of the Vulnerable Software and Affected Versions TP-Link Tapo C260 version 1

Description A guest-level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation. The issue is due to insufficient access control.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.