CVE-2026-13753

Published Jul 6, 2026

Last updated 8 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-13753 describes a missing authorization vulnerability found in the embedded web server of HP Deskjet 2800 Series Printers running firmware version TBP1CN2612AR and earlier. This flaw allows an unauthenticated attacker with network access to send direct GET requests to specific administrative API endpoints. Through this method, the attacker can retrieve sensitive configuration data that would normally require administrator credentials when accessed via the printer's web interface. The exposed information includes plaintext Wi-Fi Direct credentials, unique device identity details, and other administrative security state information. This bypasses the intended web interface security by failing to validate session states at the backend API layer.

Description
A missing authorization vulnerability exists in the embedded webserver of HP Deskjet 2800 Series Printers running firmware version <=TBP1CN2612AR. An unauthenticated attacker with network access can send GET requests to multiple exposed administrative API endpoints and retrieve sensitive configuration data such as plaintext Wiโ€‘Fi Direct credentials, unique device identity information, and other administrative security state details. When accessed through the web interface, these setting pages explicitly require administrator credentials before sensitive information is displayed.
Source
cret@cert.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

3

References

Sources include official advisories and independent security research.