CVE-2026-0651 is a path traversal vulnerability identified in TP-Link Tapo C260 v1 and D235 v1 smart camera devices. The flaw stems from improper validation and limitation of pathname inputs in HTTPS GET requests, allowing an attacker on the same local network to craft requests that probe the device's filesystem paths. This vulnerability is classified under CWE-22, which refers to improper limitation of a pathname to a restricted directory, commonly known as path traversal. The attacker can determine the presence or absence of specific files on the device, which could aid in reconnaissance or further targeted attacks. However, the vulnerability does not allow reading file contents, writing files, or executing arbitrary code, limiting its direct impact. The attack vector is network-based (local network), requires no authentication or user interaction, and has a low complexity of attack. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the limited impact on confidentiality and integrity but potential information disclosure. No patches or exploits are currently documented, but the vulnerability is publicly disclosed and assigned a CVE identifier. This issue highlights the importance of strict input validation and access controls in IoT device firmware to prevent unauthorized filesystem probing.

The primary impact of CVE-2026-0651 is information disclosure through filesystem probing. Attackers on the local network can infer the existence of files, which may reveal device configuration details, firmware versions, or other sensitive metadata. While no direct read, write, or code execution is possible, this reconnaissance capability can facilitate further attacks or targeted exploitation if combined with other vulnerabilities. For organizations deploying these TP-Link devices, especially in sensitive environments, this vulnerability could undermine security by exposing device internals to unauthorized parties. The risk is heightened in environments with weak network segmentation or where local network access is easily obtained, such as public Wi-Fi or poorly secured corporate networks. Although the severity is medium, the vulnerability could contribute to a larger attack chain, increasing overall risk. The lack of available patches means the vulnerability may persist until addressed by the vendor, prolonging exposure.

To mitigate CVE-2026-0651, organizations should implement strict network segmentation to isolate TP-Link Tapo devices from untrusted or guest network segments, limiting local network access to authorized users only. Employ network access controls such as VLANs and firewall rules to restrict communication with these devices. Monitor network traffic for unusual HTTPS GET requests targeting device paths indicative of probing attempts. Disable or limit device management interfaces accessible from local networks if not required. Regularly update device firmware and check for vendor patches addressing this vulnerability once available. Consider deploying intrusion detection systems (IDS) capable of detecting path traversal patterns in HTTP/HTTPS traffic. For high-security environments, evaluate alternative devices with stronger security postures or enhanced input validation. Maintain an inventory of affected devices and plan for timely remediation when patches are released.