Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
On Tapo C520WS v2, restricted accounts (for example, hub users) are intended to execute only a limited set of low‑sensitivity operations. Due to a logic flaw in the device’s API authorization mechanism, an attacker can craft requests that leverage legitimate “method mapping” behavior to bypass whitelist restrictions, allowing restricted operations to be masked as permitted requests and executed.
Successful exploitation may allow an attacker (with access to a restricted account) to execute unauthorized sensitive operations. Depending on the operation invoked, impact could include device resets, unintended configuration changes, or disruption of normal operation, leading to loss of availability and integrity of the device.
AnalysisAI
Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to execute privileged operations they are not entitled to perform. By abusing the device API's legitimate method mapping behavior, an authenticated low-privilege attacker on the adjacent network can disguise sensitive calls as whitelisted ones, leading to integrity loss and high availability impact including device resets and configuration changes. No public exploit identified at time of analysis, and the issue was reported by TP-Link itself with a vendor patch available.
Technical ContextAI
The Tapo C520WS v2 is a TP-Link Wi-Fi pan/tilt outdoor security camera that exposes a local API for control by hub users, family members, and other restricted account roles. The vulnerability falls under CWE-287 (Improper Authentication) and specifically targets the API authorization layer, where incoming requests are matched against a whitelist of method names permitted for the calling role. Because of a flaw in how the 'method mapping' logic resolves method identifiers to actual handlers, a request that nominally invokes a whitelisted (low-sensitivity) method can be routed to a sensitive backend operation, effectively bypassing the role-based access control. The single confirmed affected product is identified by cpe:2.3:a:tp-link_systems_inc.:tapo_c520ws_v2 and the root cause sits in firmware on the device rather than in the cloud or mobile-app layer.
RemediationAI
Patch available per vendor advisory: apply the latest Tapo C520WS v2 firmware published in the TP-Link release notes at https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes (or the EN mirror) and review the FAQ at https://www.tp-link.com/us/support/faq/5120/ for the exact fixed build number, which is not independently confirmed in the available data. Until firmware can be installed, compensating controls include removing or suspending any hub/guest/family sub-accounts that are not strictly required (eliminates the PR:L precondition at the cost of losing shared-access convenience), placing the camera on an isolated IoT VLAN or guest Wi-Fi so that only trusted administrative devices share its adjacent-network broadcast domain (mitigates AV:A but may break local app discovery), and disabling or restricting LAN-based API access in the Tapo app where supported (trade-off: forces cloud-mediated control and may add latency). Monitor the camera for unexpected reboots or configuration changes as a detection signal for attempted exploitation.
More in Tapo C520Ws V2
View allDenial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render th
Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the s
Format string exploitation in TP-Link's Tapo C520WS v2 ONVIF management service allows an authenticated attacker on an a
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to c
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authentic
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34933
GHSA-x7cf-gm5r-xq89