CVE-2026-27846
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the network to gain access to sensitive information, including the password for admin access to the web interface and the Wi-Fi passwords.This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
AnalysisAI
Missing authentication in the mesh network functionality of Netgear MR9600 (1.0.4.205530) and MX4200 (1.0.13.210200) allows an attacker with physical device access to add unauthorized mesh devices and extract sensitive credentials including admin passwords and Wi-Fi keys. The vulnerability requires no user interaction and affects the confidentiality of authentication materials stored on the device. No patch is currently available for this issue.
Technical ContextAI
Classified as CWE-306 (Missing Authentication for Critical Function). Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the network to gain access to sensitive information, including the password for admin access to the web interface and the Wi-Fi passwords.This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
Affected ProductsAI
Component: access to the web.
RemediationAI
Monitor vendor advisories for a patch.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today