search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HP Deskjet 2800 Printer Series Webservers contain Missing Authorization Vulnerability

Vulnerability Note VU#828543

Original Release Date: 2026-07-06 | Last Revised: 2026-07-06

Overview

HP Printers in the Deskjet 2800 Series running firmware version <=TBP1CN2612AR contain a missing authorization vulnerability tracked as CVE-2026-13753. This vulnerability allows unauthenticated access to the printer's webserver API endpoints, exposing Wi-Fi credentials, management configuration details, and sensitive security data normally restricted to administrative users.

Description

Modern HP printers provide a web-based management interface for configuring content such as Wi-Fi Direct settings, SNMP management access, and device security options. When accessed normally through the browser interface, these pages explicitly require administrator credentials before sensitive information is displayed. This information is protected because, for example, Wi-Fi Direct controls the printer's direct wireless connectivity, and SNMP configuration settings can reveal detailed information about the device's monitoring and management controls.

In affected firmware versions, the authorization requirement can be bypassed by sending direct, unauthenticated GET requests to multiple backend API endpoints. The affected endpoints return administrative configuration data without validating session state or authentication, including the Wi-Fi Direct SSID and plaintext passphrase, unique printer serial numbers and service IDs, and details about the device's administrative password state. This information is freely disclosed even though the corresponding web interface pages correctly enforce authentication, indicating an authorization flaw in the API layer.

Impact

A remote attacker with network access to the printer can bypass the web interface's authentication requirements and retrieve sensitive configuration data directly from backend APIs. Exposed information includes Wi-Fi Direct credentials, SNMP configuration details, device identity information, cloud service registration metadata, and other information involving the device's administrative security state. An attacker could use this information to gain unauthorized wireless access, perform reconnaissance on network or cloud integrations, impersonate the device, or facilitate further compromise of the printing environment.

Solution

Unfortunately, we were unable to reach HP to coordinate this vulnerability, so a firmware patch is not yet available. To limit the risk of this vulnerability, users should restrict network access to the printer's web interface by placing the device on a trusted or isolated network segment, disable Wi‑Fi Direct if it is not required, and limit SNMP access to trusted systems or disable it entirely. Firewall or access-control list (ACL) rules should be used to prevent untrusted hosts from reaching the printer's management ports, and discovery or cloud service features that are not needed should be disabled.

Acknowledgements

Thanks to Nguyễn Tiến Dũng for researching and reporting this vulnerability. This document was written by Molly Jaconski.

Vendor Information

828543
 

HP Inc. Unknown

Notified:  2026-05-15 Updated: 2026-07-06

CVE-2026-13753 Unknown

Vendor Statement

We have not received a statement from the vendor.


Other Information

CVE IDs: CVE-2026-13753
API URL: VINCE JSON | CSAF
Date Public: 2026-07-06
Date First Published: 2026-07-06
Date Last Updated: 2026-07-06 18:01 UTC
Document Revision: 2

Sponsored by CISA.