Input Validation Vulnerability on Multiple Omada Switches
Summary
| CVE | CVE-2026-1668 |
|---|---|
| State | PUBLISHED |
| Assigner | TPLink |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-13 19:53:58 UTC |
| Updated | 2026-04-02 15:03:02 UTC |
| Description | The web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended command execution.<br>An unauthenticated attacker with network access to the affected interface may cause memory corruption, service instability, or information disclosure. Successful exploitation may allow remote code execution or denial-of-service. |
Risk And Classification
Primary CVSS: v4.0 7.7 HIGH from f23511db-6c3e-4e32-a477-6aa17d310630
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-20 | CWE-787 | CWE-20 CWE-20 Improper Input Validation
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | f23511db-6c3e-4e32-a477-6aa17d310630 | Secondary | 7.7 | HIGH | CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 7.7 | HIGH | CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v4.0 Breakdown
Attack Vector
AdjacentAttack Complexity
HighAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Tp-link | Omada Sg2005p-pd | - | All | All | All |
| Operating System | Tp-link | Omada Sg2005p-pd Firmware | All | All | All | All |
| Operating System | Tp-link | Omada Sg2008 Firmware | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | TP-Link Systems Inc. | SG2008P 3.2x | affected 3.20.17 Build 20260121 Rel.53429 custom | SG2008P(UN) hardware version 3.20, SG2008P(UN) hardware version 3.26 |
| CNA | TP-Link Systems Inc. | SG2008P 3.3x | affected 3.30.1 Build 20260127 Rel.32017 custom | SG2008P(UN) hardware version 3.30, SG2008P(UN) hardware version 3.36, SG2008P(EU) hardware version 3.36 |
| CNA | TP-Link Systems Inc. | SX3016F 1.3x | affected 1.30.1 Build 20260129 Rel.8831 custom | SX3016F(UN) hardware version 1.30, SX3016F(UN) hardware version 1.36, SX3016F(IN) hardware version 1.38 |
| CNA | TP-Link Systems Inc. | SX3016F 1.2x | affected 1.20.16 Build 20260121 Rel.57953 custom | SX3016F(UN) hardware version 1.20, SX3016F(UN) hardware version 1.26, SX3016F(IN) hardware version 1.28 |
| CNA | TP-Link Systems Inc. | SG3428 2.4x | affected 2.40.1 Build 20260127 Rel.39545 custom | SG3428(UN) 2.40, SG3428(UN) 2.46, SG3428(BR) 2.46, SG3428(IN) 2.48 |
| CNA | TP-Link Systems Inc. | SG3428XMP 3.3x | affected 3.30.1 Build 20260127 Rel.39545 custom | SG3428XMP(UN) 3.30, SG3428XMP(UN) 3.36, SG3428XMP(EU) 3.36, SG3428XMP(IN) 3.38 |
| CNA | TP-Link Systems Inc. | SG3428X 1.4x | affected 1.40.1 Build 20260127 Rel.39545 custom | SG3428X(UN) 1.40, SG3428X(UN) 1.46, SG3428X(EU) 1.46, SG3428X(IN) 1.48 |
| CNA | TP-Link Systems Inc. | SG3428XF 1.3x | affected 1.30.1 Build 20260127 Rel.39545 custom | SG3428XF(UN) 1.30, SG3428XF(UN) 1.36, SG3428XF(IN) 1.38 |
| CNA | TP-Link Systems Inc. | SG3452P 3.4x | affected 3.40.1 Build 20260128 Rel.7041 custom | SG3452P(UN) 3.40, SG3452P(UN) 3.46, SG3452P(IN) 3.48 |
| CNA | TP-Link Systems Inc. | SG3428MP 6.3x | affected 6.30.1 Build 20260127 Rel.39545 custom | SG3428MP(UN) 6.30, SG3428MP(UN) 6.36, SG3428MP(BR) 6.36, SG3428MP(IN) 6.38, SG3428MP(EU) 6.36 |
| CNA | TP-Link Systems Inc. | SG2218P 2.2x | affected 2.20.2 Build 20260127 Rel.32017 custom | SG2218P(UN) 2.20, SG2218P(UN) 2.26 |
| CNA | TP-Link Systems Inc. | SG2016P 1.3x | affected 1.30.1 Build 20260127 Rel.32017 custom | SG2016P(UN) 1.30, SG2016P(UN) 1.36 |
| CNA | TP-Link Systems Inc. | SG3452XP 2.3x | affected 2.30.1 Build 20260128 Rel.8721 custom | SG3452XP(UN) 2.30, SG3452XP(UN) 2.36, SG3452XP(IN) 2.38 |
| CNA | TP-Link Systems Inc. | SG3428XMPP 1.2x | affected 1.20.1 Build 20260127 Rel.39545 custom | SG3428XMPP(UN) 1.20, SG3428XMPP(UN) 1.26 |
| CNA | TP-Link Systems Inc. | SG3452X 1.3x | affected 1.30.1 Build 20260128 Rel.8721 custom | SG3452X(UN) 1.30, SG3452X(UN) 1.36, SG3452X(IN) 1.38 |
| CNA | TP-Link Systems Inc. | SG2008 4.3x | affected 4.30.1 Build 20260127 Rel.32017 custom | SG2008(UN) 4.30, SG2008(UN) 4.36 |
| CNA | TP-Link Systems Inc. | SG3210 3.3x | affected 3.30.1 Build 20260206 Rel.33103 custom | SG3210(UN) 3.30, SG3210(UN) 3.36, SG3210(IN) 3.38 |
| CNA | TP-Link Systems Inc. | SG2210MP 5.2x | affected 5.20.1 Build 20260127 Rel.32017 custom | SG2210MP(UN) 5.20, SG2210MP(IN) 5.28, SG2210MP(EU) 5.26 |
| CNA | TP-Link Systems Inc. | SG2210P 5.3x | affected 5.30.1 Build 20260127 Rel.32017 custom | SG2210P(UN) 5.30, SG2210P(UN) 5.36, SG2210P(BR) 5.36, SG2210P(IN) 5.38, SG2210P(EU) 5.36 |
| CNA | TP-Link Systems Inc. | SG2218 1.3x | affected 1.30.1 Build 20260127 Rel.32017 custom | SG2218(UN) 1.30, SG2218(UN) 1.36 |
| CNA | TP-Link Systems Inc. | SG3452 1.3x | affected 1.30.1 Build 20260128 Rel.7041 custom | SG3452(UN) 1.30, SG3452(UN) 1.36, SG3452(IN) 1.38 |
| CNA | TP-Link Systems Inc. | SG3210X-M2 1.2x | affected 1.20.1 Build 20260129 Rel.13605 custom | SG3210X-M2(UN) 1.20, SG3210X-M2(UN) 1.26 |
| CNA | TP-Link Systems Inc. | SG2210XMP-M2 1.x | affected 1.0.19 Build 20260121 Rel.53314 custom | SG2210XMP-M2(UN) 1.0, SG2210XMP-M2(UN) 1.6 |
| CNA | TP-Link Systems Inc. | SG2008 4.2x | affected 4.20.17 Build 20260121 Rel.53429 custom | SG2008(UN) 4.20, SG2008(UN) 4.26 |
| CNA | TP-Link Systems Inc. | SG2218P 1.2x | affected 1.20.17 Build 20260121 Rel.53429 custom | SG2218P(UN) 1.20, SG2218P(UN) 1.26 |
| CNA | TP-Link Systems Inc. | SG3210 3.2x | affected 3.20.17 Build 20260121 Rel.53429 custom | SG3210(UN) 3.20, SG3210(IN) 3.28, SG3210(UN) 3.26 |
| CNA | TP-Link Systems Inc. | SG3428X-M2 1.2x | affected 1.20.18 Build 20260121 Rel.54271 custom | SG3428X-M2(UN) 1.20, SG3428X-M2(UN) 1.26 |
| CNA | TP-Link Systems Inc. | SX3832MPP 1.x | affected 1.0.11 Build 20260121 Rel.56907 custom | SX3832MPP(UN) 1.0, SX3832MPP(UN) 1.6 |
| CNA | TP-Link Systems Inc. | SG2218 1.2x | affected 1.20.17 Build 20260121 Rel.53429 custom | SG2218(UN) 1.20, SG2218(UN) 1.26 |
| CNA | TP-Link Systems Inc. | SX3832 1.x | affected 1.0.12 Build 20260121 Rel.56907 custom | SX3832(UN) 1.0, SX3832(UN) 1.6 |
| CNA | TP-Link Systems Inc. | SG2428LP 1.x | affected 1.0.15 Build 20260121 Rel.53429 custom | SG2428LP(UN) 1.0, SG2428LP(UN) 1.6, SG2428LP(IN) 1.8 |
| CNA | TP-Link Systems Inc. | SL2428P 6.2x | affected 6.20.18 Build 20260121 Rel.53429 custom | SL2428P(UN) 6.20, SL2428P(UN) 6.26 |
| CNA | TP-Link Systems Inc. | SG3218XP-M2 1.x | affected 1.0.19 Build 20260121 Rel.53314 custom | SG3218XP-M2(UN) 1.0, SG3218XP-M2(UN) 1.6 |
| CNA | TP-Link Systems Inc. | SG3210XHP-M2 3.x | affected 3.0.21 Build 20260121 Rel.53314 custom | SG3210XHP-M2(UN) 3.0, SG3210XHP-M2(IN)3.8, SG3210XHP-M2(UN) 3.6 |
| CNA | TP-Link Systems Inc. | SG2218P 2.x | affected 2.0.14 Build 20260121 Rel.53429 custom | SG2218P(UN) 2.0, SG2218P(UN) 2.6 |
| CNA | TP-Link Systems Inc. | SG3210X-M2 1.x | affected 1.0.19 Build 20260121 Rel.53314 custom | SG3210X-M2(UN) 1.0, SG3210X-M2(UN) 1.6 |
| CNA | TP-Link Systems Inc. | SG2428P 5.3x | affected 5.30.16 Build 20260121 Rel.53429 custom | SG2428P(UN) 5.30, SG2428P(UN) 5.32, SG2428P(IN) 5.33 |
| CNA | TP-Link Systems Inc. | SG2210MP 4.2x | affected 4.20.18 Build 20260121 Rel.53429 custom | SG2210MP(UN) 4.20, SG2210MP(UN) 4.26 |
| CNA | TP-Link Systems Inc. | SG3452P 3.3x | affected 3.30.17 Build 20260121 Rel.54132 custom | SG3452P(UN) 3.30, SG3452P(IN) 3.33, SG3452P(UN) 3.32 |
| CNA | TP-Link Systems Inc. | SG3452 1.2x | affected 1.20.17 Build 20260121 Rel.54132 custom | SG3452(UN) 1.20, SG3452(IN) 1.28, SG3452(UN) 1.26 |
| CNA | TP-Link Systems Inc. | SG2452LP 1.x | affected 1.0.13 Build 20260121 Rel.54132 custom | SG2452LP(UN) 1.0, SG2452LP(UN) 1.6, SG2452LP(IN) 1.8 |
| CNA | TP-Link Systems Inc. | SX3032F 1.x | affected 1.0.15 Build 20260121 Rel.56907 custom | SX3032F(UN) 1.0, SX3032F(UN) 1.6 |
| CNA | TP-Link Systems Inc. | SG3452X 1.2x | affected 1.20.18 Build 20260121 Rel.55833 custom | SG3452X(UN) 1.20, SG3452X(UN) 1.26 |
| CNA | TP-Link Systems Inc. | SG3452XMPP 1.x | affected 1.0.15 Build 20260121 Rel.55833 custom | SG3452XMPP(UN) 1.0, SG3452XMPP(UN) 1.6, SG3452XMPP(IN) 1.8 |
| CNA | TP-Link Systems Inc. | SG3428XPP-M2 1.2x | affected 1.20.19 Build 20260121 Rel.54271 custom | SG3428XPP-M2(UN) 1.20, SG3428XPP-M2(UN) 1.26 |
| CNA | TP-Link Systems Inc. | TL-SG3452P 3.0 | affected 3.0.22 Build 20260121 Rel.54132 custom | TL-SG3452P(UN) 3.0 |
| CNA | TP-Link Systems Inc. | SG2428P 5.2x | affected 5.20.20 Build 20260121 Rel.53429 custom | SG2428P(UN) 5.20, SG2428P(UN) 5.26 |
| CNA | TP-Link Systems Inc. | SG2210MP 5.x | affected 5.0.15 Build 20260121 Rel.53429 custom | SG2210MP(UN) 5.0, SG2210MP(IN) 5.8 |
| CNA | TP-Link Systems Inc. | SG2005P-PD 1.x | affected 1.0.19 Build 20260121 Rel.53429 custom | SG2005P-PD(UN) 1.0, SG2005P-PD(UN) 1.6 |
| CNA | TP-Link Systems Inc. | SG2016P 1.2x | affected 1.20.17 Build 20260121 Rel.53429 custom | SG2016P(UN) 1.20, SG2016P(UN) 1.26 |
| CNA | TP-Link Systems Inc. | SG3452XP 2.2x | affected 2.20.20 Build 20260121 Rel.55833 custom | SG3452XP(UN) 2.20, SG3452XP(UN) 2.26 |
| CNA | TP-Link Systems Inc. | SG3428XMP 3.2x | affected 3.20.21 Build 20260113 Rel.67732 custom | SG3428XMP(UN) 3.20, SG3428XMP(IN) 3.28, SG3428XMP(UN) 3.26 |
| CNA | TP-Link Systems Inc. | SG3428X 1.3x | affected 1.30.17 Build 20260113 Rel.67732 custom | SG3428X(UN) 1.30, SG3428X(IN) 1.33, SG3428X(UN) 1.32 |
| CNA | TP-Link Systems Inc. | SG3428XF 1.2x | affected 1.20.16 Build 20260113 Rel.67732 custom | SG3428XF(UN) 1.20, SG3428XF(IN) 1.28, SG3428XF(UN) 1.26 |
| CNA | TP-Link Systems Inc. | SG3428MP 6.2x | affected 6.20.20 Build 20260113 Rel.67732 custom | SG3428MP(UN) 6.20, SG3428MP(IN) 6.28, SG3428MP(UN) 6.26 |
| CNA | TP-Link Systems Inc. | TL-SG3428MP 5.x | affected 5.0.25 Build 20260113 Rel.67732 custom | TL-SG3428MP(UN) 5.0, TL-SG3428MP(UN) 5.6, TL-SG3428MP(UN) 5.20, TL-SG3428MP(UN) 5.26 |
| CNA | TP-Link Systems Inc. | SG3428 2.3x | affected 2.30.16 Build 20260113 Rel.67732 custom | SG3428(UN) 2.30, SG3428(IN) 2.33, SG3428(UN) 2.32 |
| CNA | TP-Link Systems Inc. | SG3428XMPP 1.x | affected 1.0.16 Build 20260113 Rel.67732 custom | SG3428XMPP(UN) 1.0, SG3428XMPP(IN) 1.8, SG3428XMPP(UN) 1.6 |
| CNA | TP-Link Systems Inc. | TL-SG2428P 4.x | affected 4.0.26 Build 20260121 Rel.53429 custom | TL-SG2428P(UN) 4.0, TL-SG2428P(UN) 4.6 |
| CNA | TP-Link Systems Inc. | SG2210P 5.2x | affected 5.20.18 Build 20260121 Rel.53429 custom | SG2210P(UN) 5.20, SG2210P(IN) 5.28, SG2210P(UN) 5.26 |
| CNA | TP-Link Systems Inc. | SX3008F 1.2x | affected custom | SX3008F(UN) 1.20, SX3008F(IN)1.28, SX3008F(UN) 1.26 |
| CNA | TP-Link Systems Inc. | SX3206HPP 1.20 | affected custom | SX3206HPP(UN) 1.20 |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| support.omadanetworks.com/us/document/118794 | f23511db-6c3e-4e32-a477-6aa17d310630 | support.omadanetworks.com | Vendor Advisory |
| support.omadanetworks.com/au/download/firmware | f23511db-6c3e-4e32-a477-6aa17d310630 | support.omadanetworks.com | Product |
| support.omadanetworks.com/en/download/firmware | f23511db-6c3e-4e32-a477-6aa17d310630 | support.omadanetworks.com | Product |
| support.omadanetworks.com/us/product | f23511db-6c3e-4e32-a477-6aa17d310630 | support.omadanetworks.com | Product |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: tangrs (en)
There are currently no legacy QID mappings associated with this CVE.