CVE-2026-11834
Awaiting Analysis Awaiting Analysis - Queue
Command Injection in TP-Link Router DHCP Processing

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: TPLink

Description
A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data.Β An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized command execution during device initialization or provisioning workflows. This typically occurs when the device is in a factory-default or unconfigured state. Successful exploitation may allow an adjacent, unauthenticated attacker to execute arbitrary commands with elevated privileges, potentially leading to full compromise of the affected device and unauthorized administrative control.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-11834
EUVD
EUVD-2026-38339
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
tp-link archer_mr200 *
tp-link archer_mr402 *
tp-link archer_vr2100 *
tp-link archer_c20 v5
tp-link tl-mr6400 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11834 is a command injection vulnerability found in the DHCP option processing logic of multiple TP-Link router models. It occurs because the routers do not properly validate externally supplied DHCP option data.

An adjacent attacker can exploit this vulnerability by sending specially crafted DHCP responses to the device, especially when it is in a factory-default or unconfigured state. This can lead to unauthorized command execution during device initialization or provisioning workflows.

Successful exploitation allows the attacker to execute arbitrary commands with elevated privileges, potentially resulting in full compromise of the device and unauthorized administrative control.

Impact Analysis

This vulnerability can have severe impacts including unauthorized command execution on affected TP-Link routers.

An attacker adjacent to the network can exploit this flaw to gain elevated privileges, which may lead to full compromise of the device.

With full device compromise, the attacker could gain unauthorized administrative control, potentially disrupting network operations, intercepting or manipulating network traffic, or using the device as a foothold for further attacks.

Mitigation Strategies

To mitigate this vulnerability, it is strongly recommended to update affected TP-Link router devices to the latest firmware versions provided by TP-Link.

This vulnerability occurs during device initialization or provisioning, especially when the device is in a factory-default or unconfigured state, so applying firmware updates promptly reduces the risk of exploitation.

  • Check your device model against the affected models: Archer MR200 (EN/EU), Archer MR402 (EU), Archer VR2100 (EU), Archer C20 (V5/V6), and TL-MR6400 (EU).
  • Download and install the latest firmware updates from the official TP-Link support website for your specific router model.
  • Avoid using devices in factory-default or unconfigured states on untrusted networks until they are updated.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11834. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart