How is CVE-2026-36820 exploited?

Network reachability (required): The vulnerable function is exposed over the network via HTTP, so an attacker must be able to send requests to the device's web interface. Authentication (not-required): No credentials or prior authentication are required to send a malicious request to the affected endpoint. Victim interaction (not-required): No user interaction is needed; the attacker triggers the overflow by sending a crafted HTTP request directly to the device. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

What is the impact of CVE-2026-36820?

The affected service crashes, making the router's web authentication functionality unavailable for the duration of the outage. Availability of the device is disrupted; depending on deployment context, this may affect all clients relying on the router for network access. No confidentiality impact is indicated: the vulnerability does not expose stored credentials, session tokens, or other data. No integrity impact is indicated: persistent configuration or data is not modified by this exploit.

Back to search

HIGHCVE-2026-36820Published 2026-06-09Modified 2026-06-09CNA mitre

CVE-2026-36820: Shenzhen Tenda Technology Co

Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A buffer overflow vulnerability affects the Tenda W20E router (firmware v15.11.0.6), specifically in the formAddWebAuthWhiteUser function when processing the webAuthWhiteUserInfo parameter. The flaw is reachable over the network without any authentication, making it exploitable by any attacker who can send HTTP requests to the device. Successful exploitation crashes the affected service, causing a denial of service. No fix version has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-36820 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built firmware or application images that bundle the affected Tenda component. Coverage applies to both registry scans and pipeline-time image checks.

Available

Triage

Triage capability is available using the CVSS v3.1 score of 7.5 (HIGH), with per-environment compliance policy weighting applied to prioritize routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, a rebuild and regression run will be triggered and a PR opened against affected workloads as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable function is exposed over the network via HTTP, so an attacker must be able to send requests to the device's web interface.
AuthenticationNot required
No credentials or prior authentication are required to send a malicious request to the affected endpoint.
Victim interactionNot required
No user interaction is needed; the attacker triggers the overflow by sending a crafted HTTP request directly to the device.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

Blast Radius

The affected service crashes, making the router's web authentication functionality unavailable for the duration of the outage.
Availability of the device is disrupted; depending on deployment context, this may affect all clients relying on the router for network access.
No confidentiality impact is indicated: the vulnerability does not expose stored credentials, session tokens, or other data.
No integrity impact is indicated: persistent configuration or data is not modified by this exploit.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-36820 is active for any image in a customer registry or build pipeline that includes the affected Tenda W20E firmware component. Because no upstream patch exists at this time, HarborGuard continues to monitor the advisory on each ingest cycle. Where network-level compensating controls are feasible, customers can apply network policy isolation to restrict access to the device's HTTP management interface to trusted source addresses only, reducing the exposure surface until a fix is available. For customers who opt into auto-remediation, a patched rebuild, regression test run, and PR against affected workloads will be initiated automatically once an upstream fix version is published.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

github.com

Metrics

Get notified