AI description
CVE-2026-13753 describes a missing authorization vulnerability found in the embedded web server of HP Deskjet 2800 Series Printers running firmware version TBP1CN2612AR and earlier. This flaw allows an unauthenticated attacker with network access to send direct GET requests to specific administrative API endpoints. Through this method, the attacker can retrieve sensitive configuration data that would normally require administrator credentials when accessed via the printer's web interface. The exposed information includes plaintext Wi-Fi Direct credentials, unique device identity details, and other administrative security state information. This bypasses the intended web interface security by failing to validate session states at the backend API layer.
- Description
- A missing authorization vulnerability exists in the embedded webserver of HP Deskjet 2800 Series Printers running firmware version <=TBP1CN2612AR. An unauthenticated attacker with network access can send GET requests to multiple exposed administrative API endpoints and retrieve sensitive configuration data such as plaintext WiโFi Direct credentials, unique device identity information, and other administrative security state details. When accessed through the web interface, these setting pages explicitly require administrator credentials before sensitive information is displayed.
- Source
- cret@cert.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
3