CVE-2026-13230 PUBLISHED

Information Disclosure Vulnerability in Local Discovery Response in TP-Link Kasa EC70 and EC71

Assigner: TPLink
Reserved: 24.06.2026 Published: 15.07.2026 Updated: 15.07.2026

An information disclosure vulnerability was identified in TP-Link Kasa EC70 v4 and EC71 v4 in the local discovery mechanism, which exposes sensitive geolocation information without requiring authentication. This issue allows an attacker on the same local network to retrieve geolocation-related data through crafted responses.

The vulnerability impacts confidentiality only, with no evidence of integrity of availability impact.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Product Status

Vendor TP-Link Systems Inc.
Product Kasa EC71 v4
Versions Default: unaffected
  • affected from 0 to 2.4.1 Build 20260621 rel.76536 (excl.)
Vendor TP-Link Systems Inc.
Product Kasa EC70 v4
Versions Default: unaffected
  • affected from 0 to 2.4.1 Build 20260621 rel.76536 (excl.)

Credits

  • Christopher Childress finder

References

Problem Types

  • CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE

Impacts

  • CAPEC-118 Collect & Analyze Information