Authentication Bypass in Snap One WattBox 800 and 820 Series
CVE-2026-41446

9.2CRITICAL

Key Information:

Vendor: Snap One, Llc
Status: Wattbox 800; Wattbox 820
Vendor: CVE Published:; 28 April 2026

🔔 Create Snap One, Llc Vulnerability Alert

What is CVE-2026-41446?

The Snap One WattBox 800 and 820 series firmware versions before 2.10.0.0 contain hidden diagnostic HTTP endpoints that can be accessed with minimal authentication. These endpoints only require the device's MAC address and service tag for access, both of which are readily available on the physical device label. This creates a significant security risk, as attackers who can obtain this information may execute arbitrary commands as root, compromising the device's integrity and security.

Affected Version(s)

WattBox 800 0 < 2.10.0.0

WattBox 820 0 < 2.10.0.0

References

https://help.snapone.com/wb-8x0-fw/Content/FW%20RN/8x0/8x...

release-notespatch

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Anonymous

CVE-2026-41446 Data

JSON