Login Sign Up

CVE-2026-0651

7.8 HIGH
Path Traversal

📋 TL;DR

This vulnerability allows attackers on the same local network to probe the TP-Link Tapo C260 v1 camera's filesystem to determine if specific files exist. It does not allow reading file contents, writing files, or executing code. Only users with TP-Link Tapo C260 v1 cameras on their local network are affected.

💻 Affected Systems

Products:
  • TP-Link Tapo C260
Versions: v1
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects version 1 of the TP-Link Tapo C260 camera. Requires local network access to exploit.

📦 What is this software?

Tapo C260 Firmware by Tp Link

View all CVEs affecting Tapo C260 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could map the device's filesystem structure, potentially identifying configuration files, firmware components, or other sensitive paths that could aid in further attacks.

🟠

Likely Case

Information disclosure about filesystem structure that could be used for reconnaissance in preparation for other attacks, but no direct data theft or system compromise.

🟢

If Mitigated

Minimal impact - attackers can only confirm file existence without accessing contents, limiting practical damage.

🌐 Internet-Facing: LOW - The vulnerability requires local network access via HTTPS, not directly internet-exposed.
🏢 Internal Only: MEDIUM - Local attackers can perform reconnaissance, but cannot read, write, or execute files.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires crafting specific GET requests to probe filesystem paths. No authentication is required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.tp-link.com/us/support/faq/4960/

Restart Required: No

Instructions:

Check TP-Link's support page for firmware updates. If available, download the latest firmware from the vendor website and follow their update instructions.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate the camera on a separate VLAN or network segment to limit exposure to potential attackers.

Access Control Lists

all

Implement network ACLs to restrict which devices can communicate with the camera.

🧯 If You Can't Patch

  • Segment the camera network to limit exposure to trusted devices only
  • Monitor network traffic for unusual GET requests to the camera

🔍 How to Verify

Check if Vulnerable:

Attempt to probe filesystem paths via crafted GET requests to the camera's HTTPS interface from the local network.

Check Version:

Check firmware version in the camera's web interface or mobile app settings.

Verify Fix Applied:

Test if filesystem path probing still works after applying any available firmware updates.

📡 Detection & Monitoring

Log Indicators:

  • Unusual GET requests with path traversal patterns in web server logs

Network Indicators:

  • Multiple failed path probing attempts to the camera's HTTPS port

SIEM Query:

source_ip="camera_ip" AND http_method="GET" AND uri CONTAINS ".." OR uri CONTAINS "/etc/" OR uri CONTAINS "/proc/"

📊 Metadata

CVE ID: CVE-2026-0651
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
EPSS Score: 0.06% exploit probability (17.2th percentile)
Published: February 10, 2026
Last Updated: February 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0651, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)