Security Advisory: Unauthenticated Open Redirect Vulnerability in Archer AX20 Web Interface (CVE-2026-10562)
Vulnerability and Impact Description:
CVE-2026-10562
An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface. An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences.
When processed by the embedded web server, these inputs may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains.
CVSS v4.0 Score: 5.9 / Medium
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Affected Products/Versions and Fixes:
|
Product Model |
Hardware Version |
Fixed Firmware Version |
|
Archer AX20 |
V2 |
V2_260527 |
Note: Archer AX20 v2 is not sold in the US.
Recommendations:
We strongly recommend that users with affected devices take the following actions:
- Update affected devices to the latest firmware version that fixed the vulnerability:
EN: Download for Archer AX20 | TP-Link
Disclaimer:
This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers promptly apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable, and TP-Link disclaims any responsibility or liability for any damages or losses arising from a failure to implement such updates.
Looking for More
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.