Cyber Resilience

CVE-2026-5526

Medium

Published: 04 April 2026

Published
04 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 28.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5526 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Tenda 4G03 Pro Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-5526 is a vulnerability involving improper access controls in an unknown functionality of the /bin/httpd component within Tenda 4G03 Pro routers, affecting versions up to 1.0, 1.1, 04.03.01.53, and associated with the default IP 192.168.0.1. Published on 2026-04-04, it is linked to CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Improper Access Control), earning a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity.

The vulnerability enables remote exploitation over the network with low attack complexity, requiring no privileges or user interaction. Attackers can manipulate the affected functionality to bypass access controls, potentially achieving low-level impacts on confidentiality, integrity, and availability. An exploit for this issue has been publicly released, increasing the risk of real-world attacks.

Advisories detailing the vulnerability are available on VulDB at https://vuldb.com/vuln/355279, https://vuldb.com/vuln/355279/cti, and a submission page at https://vuldb.com/submit/782052, along with the vendor site at https://www.tenda.com.cn/. Security practitioners should review these sources for any recommended mitigations or patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Tenda 4G03 Pro up to 1.0/1.1/04.03.01.53/192.168.0.1. Affected by this vulnerability is an unknown functionality of the file /bin/httpd. The manipulation results in improper access controls. The attack may be performed from remote. The…

more

exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an improper access control issue in the public-facing /bin/httpd web server component of a router, directly enabling remote unauthenticated exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2148Same vendor: Tenda
CVE-2025-29357Same vendor: Tenda
CVE-2025-1853Same vendor: Tenda
CVE-2026-5841Same vendor: Tenda
CVE-2025-12225Same vendor: Tenda
CVE-2025-7420Same vendor: Tenda
CVE-2018-25316Same vendor: Tenda
CVE-2025-7747Same vendor: Tenda
CVE-2025-7795Same vendor: Tenda
CVE-2026-3379Same vendor: Tenda

Affected Assets

tenda
4g03 pro firmware
04.03.01.53

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved access authorizations, directly countering the improper access controls in the Tenda router's /bin/httpd component.

prevent

AC-6 enforces least privilege principles, addressing the CWE-266 incorrect privilege assignment that enables remote exploitation of this vulnerability.

prevent

SI-2 requires timely identification and correction of flaws like CVE-2026-5526, preventing exploitation especially with public exploits available.

References