CVE-2026-3294 PUBLISHED

Authentication Logic Vulnerability on Multiple TP-Link Range Extenders

Assigner: TPLink
Reserved: 26.02.2026 Published: 22.05.2026 Updated: 22.05.2026

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation.

Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor TP-Link Systems Inc.
Product Archer RE650 v1
Versions Default: unaffected
  • affected from 0 to V1_20260429 (excl.)
Vendor TP-Link Systems Inc.
Product Archer RE305 v1
Versions Default: unaffected
  • affected from 0 to V1_20260515 (excl.)
Vendor TP Link Systems Inc.
Product Archer RE360 v1
Versions Default: unaffected
  • affected from 0 to V1_20260515 (excl.)
Vendor TP-Link Systems Inc.
Product TL-WA860RE v4
Versions Default: unaffected
  • affected from 0 to V4_20260515 (excl.)
Vendor TP-Link Systems Inc.
Product RE580D v1
Versions Default: unaffected
  • affected from 0 to V1_20260515 (excl.)

Credits

  • Job Jobse finder

References

Problem Types

  • CWE-20 Improper Input Validation CWE

Impacts

  • CAPEC-115 Authentication Bypass