TP-Link Omada Cloud Controller allows unauthorized access to sensitive data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

2.0

TP-Link Omada Cloud Controller allows unauthorized access to sensitive data

CVE-2025-9292

Summary

A misconfigured security setting in the Omada Cloud Controller may allow hackers to access sensitive information if they have already found a way to inject malicious code into the system. This can only happen if the hacker has already taken control of a user's computer or device. If you're using the latest version of the Omada Cloud Controller, you're protected, and no action is needed.

Original title

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existi...

Original description

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful exploitation could allow unauthorized disclosure of sensitive information. Fixed in updated Omada Cloud Controller service versions deployed automatically by TP‑Link. No user action is required.

nvd CVSS4.0 2.0

Vulnerability type

CWE-942

Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026