CVE-2026-13753
Awaiting Analysis Awaiting Analysis - Queue

Missing Authorization in HP Deskjet 2800 Series Printers

Vulnerability report for CVE-2026-13753, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: CERT/CC

Description

A missing authorization vulnerability exists in the embedded webserver of HP Deskjet 2800 Series Printers running firmware version <=TBP1CN2612AR. An unauthenticated attacker with network access can send GET requests to multiple exposed administrative API endpoints and retrieve sensitive configuration data such as plaintext Wi‑Fi Direct credentials, unique device identity information, and other administrative security state details. When accessed through the web interface, these setting pages explicitly require administrator credentials before sensitive information is displayed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hp deskjet_2800_series_printers to TBP1CN2612AR (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Since HP has not yet released a firmware patch for this vulnerability, immediate mitigation steps include restricting network access to the affected printer.

  • Implement firewall rules to block unauthorized access to the printer's webserver and administrative API endpoints.
  • Disable unnecessary features such as Wi-Fi Direct and SNMP on the printer to reduce the attack surface.

These measures help prevent unauthenticated attackers from exploiting the missing authorization flaw to retrieve sensitive configuration data.

Compliance Impact

This vulnerability exposes sensitive configuration data such as plaintext Wi-Fi Direct credentials and unique device identity information without authentication. Such unauthorized disclosure of sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding of sensitive data and ensuring proper access controls.

Since the vulnerability allows unauthenticated network access to confidential device and network credentials, it increases the risk of data breaches and unauthorized access, potentially violating regulatory requirements for confidentiality and security of personal and organizational data.

Organizations using affected HP Deskjet 2800 Series printers should consider this vulnerability when assessing their compliance posture and implement mitigating controls such as network restrictions and disabling vulnerable features until a patch is available.

Executive Summary

CVE-2026-13753 is a missing authorization vulnerability in the embedded webserver of HP Deskjet 2800 Series printers running firmware version TBP1CN2612AR or earlier.

An unauthenticated attacker with network access can send GET requests to multiple exposed administrative API endpoints and retrieve sensitive configuration data such as plaintext Wi‑Fi Direct credentials, unique device identity information, and other administrative security state details.

While the printer's web interface requires administrator credentials to view these settings, the backend APIs do not properly validate user credentials, allowing unauthorized access to sensitive information.

Impact Analysis

This vulnerability can allow an attacker to retrieve confidential data such as Wi-Fi credentials, device serial numbers, and administrative security settings without authentication.

With this information, an attacker could gain unauthorized wireless network access, potentially compromising the printer and connected networks.

It may also facilitate further attacks on the printer or other devices on the network.

Detection Guidance

This vulnerability can be detected by attempting to send unauthenticated GET requests to the printer's exposed administrative API endpoints and checking if sensitive configuration data is returned without requiring authentication.

For example, you can use network tools like curl or wget to send requests to the printer's IP address targeting known API endpoints and observe if sensitive information such as Wi-Fi Direct credentials or device identity details are disclosed.

  • curl http://<printer_ip>/api/endpoint
  • wget -qO- http://<printer_ip>/api/endpoint

Replace <printer_ip> with the actual IP address of the HP Deskjet 2800 Series printer and /api/endpoint with the specific administrative API paths. If the response contains sensitive data without authentication, the vulnerability is present.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13753. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart