Click to skip the navigation bar

Security Advisory: Weak Password Hashing Mechanism in TP-Link Deco M5 (CVE-2026-5040)

Security Advisory
Last updated: July 14, 2026

Vulnerability and Impact Description:

CVE-2026-5040

TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.

Successful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.

CVSS v4.0 Score: 7.1 / High

CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products/Versions and Fixes:

Product Model

Hardware Version

Fixed Firmware Version

Deco M5

v1

1.9.4 Build 20260312 Rel.17129

Recommendations:

We strongly recommend that users with affected devices take the following actions:

  1. Update affected devices to the latest firmware version that fixed the vulnerability:

EN: Download for Deco M5 | TP-Link

US: Download for Deco M5 | TP-Link

Disclaimer:

This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable.

Related FAQs

Looking For More

Is this faq useful?

Your feedback helps improve this site.

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >