Skip to main content

Tapo C520WS CVE-2026-34123

| EUVDEUVD-2026-34933 HIGH
Improper Authentication (CWE-287)
2026-06-05 TPLink GHSA-x7cf-gm5r-xq89
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 00:28 vuln.today
CVSS changed
Jun 06, 2026 - 00:22 NVD
7.0 (HIGH)

DescriptionCVE.org

On Tapo C520WS v2, restricted accounts (for example, hub users) are intended to execute only a limited set of low‑sensitivity operations. Due to a logic flaw in the device’s API authorization mechanism, an attacker can craft requests that leverage legitimate “method mapping” behavior to bypass whitelist restrictions, allowing restricted operations to be masked as permitted requests and executed.

Successful exploitation may allow an attacker (with access to a restricted account) to execute unauthorized sensitive operations. Depending on the operation invoked, impact could include device resets, unintended configuration changes, or disruption of normal operation, leading to loss of availability and integrity of the device.

AnalysisAI

Authorization bypass in TP-Link Tapo C520WS v2 cameras allows holders of restricted accounts (such as hub users) to execute privileged operations they are not entitled to perform. By abusing the device API's legitimate method mapping behavior, an authenticated low-privilege attacker on the adjacent network can disguise sensitive calls as whitelisted ones, leading to integrity loss and high availability impact including device resets and configuration changes. No public exploit identified at time of analysis, and the issue was reported by TP-Link itself with a vendor patch available.

Technical ContextAI

The Tapo C520WS v2 is a TP-Link Wi-Fi pan/tilt outdoor security camera that exposes a local API for control by hub users, family members, and other restricted account roles. The vulnerability falls under CWE-287 (Improper Authentication) and specifically targets the API authorization layer, where incoming requests are matched against a whitelist of method names permitted for the calling role. Because of a flaw in how the 'method mapping' logic resolves method identifiers to actual handlers, a request that nominally invokes a whitelisted (low-sensitivity) method can be routed to a sensitive backend operation, effectively bypassing the role-based access control. The single confirmed affected product is identified by cpe:2.3:a:tp-link_systems_inc.:tapo_c520ws_v2 and the root cause sits in firmware on the device rather than in the cloud or mobile-app layer.

RemediationAI

Patch available per vendor advisory: apply the latest Tapo C520WS v2 firmware published in the TP-Link release notes at https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes (or the EN mirror) and review the FAQ at https://www.tp-link.com/us/support/faq/5120/ for the exact fixed build number, which is not independently confirmed in the available data. Until firmware can be installed, compensating controls include removing or suspending any hub/guest/family sub-accounts that are not strictly required (eliminates the PR:L precondition at the cost of losing shared-access convenience), placing the camera on an isolated IoT VLAN or guest Wi-Fi so that only trusted administrative devices share its adjacent-network broadcast domain (mitigates AV:A but may break local app discovery), and disabling or restricting LAN-based API access in the Tapo app where supported (trade-off: forces cloud-mediated control and may add latency). Monitor the camera for unexpected reboots or configuration changes as a detection signal for attempted exploitation.

Share

CVE-2026-34123 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy