Skip to main content

Tenda EUVDEUVD-2026-19001

| CVE-2026-5526 MEDIUM
Improper Access Control (CWE-284)
2026-04-04 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
EUVD ID Assigned
Apr 04, 2026 - 22:30 euvd
EUVD-2026-19001
Analysis Generated
Apr 04, 2026 - 22:30 vuln.today
CVE Published
Apr 04, 2026 - 22:15 nvd
MEDIUM 6.9

DescriptionCVE.org

A security flaw has been discovered in Tenda 4G03 Pro up to 1.0/1.1/04.03.01.53/192.168.0.1. Affected by this vulnerability is an unknown functionality of the file /bin/httpd. The manipulation results in improper access controls. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

AnalysisAI

Improper access controls in Tenda 4G03 Pro firmware (versions up to 04.03.01.53) enable unauthenticated remote attackers to bypass authentication mechanisms via the /bin/httpd binary, potentially achieving unauthorized administrative access to the router. This vulnerability has publicly available exploit code and affects consumer-grade 4G routers commonly used for home and small office networks. EPSS data not available, but the combination of network-accessible attack vector, low complexity, and public exploit elevates real-world risk.

Technical ContextAI

The vulnerability resides in the /bin/httpd binary of Tenda 4G03 Pro routers, which implements the web-based administrative interface. The flaw is classified as CWE-284 (Improper Access Control), indicating insufficient enforcement of access restrictions on administrative functions. The httpd daemon likely fails to properly validate authentication credentials or session tokens before granting access to privileged operations. As a 4G LTE router product (CPE: cpe:2.3:a:tenda:4g03_pro), this device provides internet connectivity and network routing functions, making authentication bypass particularly severe as it exposes all router configuration and network traffic controls to unauthorized parties. The CVSS vector AV:N indicates the attack is executable over the network without requiring local access, and PR:N confirms no authentication is required to exploit the flaw.

RemediationAI

No vendor-released patch identified at time of analysis; CVSS remediation level indicates only workarounds available (RL:W). Users should immediately check the official Tenda support website (https://www.tenda.com.cn/) for updated firmware releases beyond version 04.03.01.53 that may address this access control flaw. As interim mitigation, disable remote administration features and restrict web interface access to trusted LAN segments only, preventing internet-facing exposure of the httpd service. Implement network-level access controls (firewall rules) to block external access to the router's management interface on standard ports (TCP 80/443). Consider replacing affected devices with alternative router models if Tenda does not release timely security updates. Monitor VulDB entries (https://vuldb.com/vuln/355279) for patch availability updates and additional technical indicators of compromise.

More in Tenda

View all
CVE-2022-30023 HIGH POC
8.8 Jun 16

Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. Rated high sev

CVE-2015-5995 CRITICAL POC
9.8 Dec 31

Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and Tenda N3 Wireless N150 devices allow remote attacke

CVE-2014-5246 CRITICAL POC
10.0 Aug 22

The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication

CVE-2025-45042 CRITICAL POC
9.8 May 05

Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. Rated critic

CVE-2025-29384 CRITICAL POC
9.8 Mar 14

In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability

CVE-2025-44877 CRITICAL POC
9.8 May 02

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via

CVE-2025-44872 CRITICAL POC
9.8 May 02

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via

CVE-2022-32386 CRITICAL POC
9.8 Jul 06

Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan. Rated critical severity (CV

CVE-2025-25632 CRITICAL POC
9.8 Mar 05

Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet. Rated critical se

CVE-2023-51972 CRITICAL POC
9.8 Jan 10

Tenda AX1803 v1.0.0.1 was discovered to contain a command injection vulnerability via the function fromAdvSetLanIp. Rate

CVE-2023-51812 CRITICAL POC
9.8 Jan 04

Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /

CVE-2025-45429 CRITICAL POC
9.8 Apr 23

In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWp

Share

EUVD-2026-19001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy