Session Cookie Vulnerability in Tenda Wireless Routers
CVE-2026-22081

8.8HIGH

Key Information:

Vendor

Tenda

Vendor
CVE Published:
9 January 2026

What is CVE-2026-22081?

The Tenda wireless routers, specifically the 300Mbps Wireless Router F3 and N300 Easy Setup Router, contain a vulnerability due to the absence of the HTTPOnly flag for session cookies in their web-based administrative interface. This security oversight enables remote attackers to potentially intercept session cookies over unsecured HTTP connections. By capturing these cookies, the attackers could access sensitive information or gain unauthorized control over the device, thereby compromising user data and network integrity.

Affected Version(s)

300Mbps Wireless Router F3 and N300 Easy Setup Router F3 v3.0 Firmware V12.01.01.41

300Mbps Wireless Router F3 and N300 Easy Setup Router F3 v3.0 Firmware V12.01.01.42

300Mbps Wireless Router F3 and N300 Easy Setup Router F3 v3.0 Firmware V12.01.01.48

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This vulnerability is reported by Deven Lunkad, Swaroop Dora, Naziya Aslam, and S. Venkatesan from IoT Security Research Lab, Indian Institute of Information Technology, Allahabad, India.
.