Weak Password Hashing in TP-Link Deco M5 Device
CVE-2026-5040

7.1HIGH

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-5040?

The TP-Link Deco M5 v1 employs a poorly implemented password hashing mechanism for storing user credentials. This weakness allows an attacker who gains access to the password hash, either through a system compromise or privileged user access, to execute brute-force or dictionary attacks. If successful, the attacker can recover the authentication credentials, leading to unauthorized access to device management functions and potentially compromising user data. The primary security concern arises from the possible loss of confidentiality of sensitive information.

Affected Version(s)

Deco M5 Deco M5 V1 0 < 1.9.4 Build 20260312 Rel.17129

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.