CVE-2026-0653 is an access control vulnerability identified in TP-Link Tapo C260 v1 and D235 v1 smart camera devices. The issue arises because guest-level authenticated users can send specially crafted requests to a synchronization endpoint that improperly enforces access restrictions. This flaw allows attackers with minimal privileges to modify protected device settings that should be restricted, effectively bypassing intended access controls. The vulnerability is classified under CWE-284 (Improper Access Control), indicating a failure to correctly restrict access to sensitive functions. Although the exploit does not enable full code execution or remote takeover, unauthorized changes to device configuration can lead to significant security risks, such as disabling security features, altering network settings, or impacting device availability. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required beyond guest-level (PR:L), no user interaction (UI:N), and high impact on integrity and availability (VI:H, VA:H), but low impact on confidentiality (VC:L). The vulnerability was published on February 10, 2026, with no patches or known exploits reported to date. This suggests the issue is newly disclosed and requires immediate attention from affected users and administrators.

The primary impact of CVE-2026-0653 is unauthorized modification of device settings by attackers with only guest-level access. This can compromise the integrity and availability of the affected TP-Link Tapo devices by allowing attackers to disable security controls, alter network configurations, or otherwise manipulate device behavior. Such changes could facilitate further attacks, surveillance evasion, or denial of service conditions. Organizations relying on these devices for security monitoring or IoT functions may experience degraded security posture, increased risk of data exposure, or operational disruptions. Since the vulnerability does not allow full code execution, the risk of complete device takeover is lower, but the ability to change critical settings without authorization still represents a significant threat. The lack of patches increases exposure duration, and the network-accessible nature of the flaw means attackers can exploit it remotely within the local network or potentially via exposed interfaces.

To mitigate CVE-2026-0653, organizations should first verify if their TP-Link Tapo C260 v1 or D235 v1 devices are affected. Until official patches are released, the following practical steps are recommended: 1) Restrict network access to the affected devices by segmenting them into isolated VLANs or subnetworks with strict firewall rules to limit guest-level user access. 2) Disable or restrict guest-level authentication where possible to reduce the attack surface. 3) Monitor device logs and network traffic for unusual synchronization requests or configuration changes indicative of exploitation attempts. 4) Employ strong authentication and access control policies on management interfaces to prevent unauthorized access. 5) Regularly check for vendor updates or security advisories and apply patches promptly once available. 6) Consider replacing vulnerable devices with models confirmed to have secure access controls if immediate patching is not feasible. 7) Educate users and administrators about the risks of unauthorized configuration changes and enforce strict operational security practices around IoT device management.