HP Deskjet 2800 Webserver Missing Auth: Unauth GET Exposes WiFi Credentials
CVE-2026-13753 Published on July 6, 2026
CVE-2026-13753
A missing authorization vulnerability exists in the embedded webserver of HP Deskjet 2800 Series Printers running firmware version <=TBP1CN2612AR. An unauthenticated attacker with network access can send GET requests to multiple exposed administrative API endpoints and retrieve sensitive configuration data such as plaintext WiFi Direct credentials, unique device identity information, and other administrative security state details. When accessed through the web interface, these setting pages explicitly require administrator credentials before sensitive information is displayed.
Vulnerability Analysis
CVE-2026-13753 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Affected Versions
HP Inc. HP 2800 Printer Series:- Before and including TBP1CN2612AR. is affected.