Skip to main content

TP-Link Tapo CVE-2026-34126

| EUVDEUVD-2026-32969 HIGH
Cleartext Transmission of Sensitive Information (CWE-319)
2026-05-28 TPLink GHSA-p93f-7gcr-x8pr
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 28, 2026 - 20:22 vuln.today
CVSS changed
May 28, 2026 - 18:22 NVD
7.3 (HIGH)
CVE Published
May 28, 2026 - 16:47 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.

An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.

An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.

D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products:

D130, D210, D235, D225, TD21, TDB21 and TD25

AnalysisAI

Cleartext Bluetooth transmission in TP-Link Tapo L535E, P300, and D100C devices allows adjacent attackers to intercept and manipulate initial setup data, enabling potential unauthorized device control during onboarding. The flaw stems from missing encryption on the Bluetooth pairing channel used only during initialization, and TP-Link has released patched firmware versions for all affected models. No public exploit identified at time of analysis, but the low complexity and absence of authentication make this a meaningful risk for users provisioning devices in dense urban or office environments.

Technical ContextAI

The affected products are TP-Link Tapo smart-home devices: the L535E smart lock (v1.0 and v3.0), the P300 smart power strip (v1.0), and the D100C smart chime (v1.0) which ships bundled with multiple Tapo camera/doorbell SKUs (D130, D210, D235, D225, TD21, TDB21, TD25). During first-time provisioning, these devices use Bluetooth Low Energy as an out-of-band channel to receive Wi-Fi credentials and pairing data from the Tapo mobile app. The root cause maps to CWE-319 (Cleartext Transmission of Sensitive Information): the BLE setup channel lacks application-layer encryption, so payloads - potentially including Wi-Fi SSID/PSK and device-binding tokens - traverse the air in plaintext where any nearby BLE radio can capture them. Bluetooth is described as being used only during initialization, meaning the exposure window is limited to the provisioning event rather than steady-state operation.

RemediationAI

Vendor-released patches are available: upgrade Tapo L535E to firmware 1.4.1 Build 251016 Rel.204554 (download links at https://www.tp-link.com/us/support/download/tapo-l535e/ and the v3 variant at https://www.tp-link.com/en/support/download/tapo-l535e/v3/), Tapo P300 to JP_1.4.0 Build 260416 Rel.014037 or EU_1.4.2 Build 251219 Rel.142654 depending on region (https://www.tp-link.com/jp/support/download/tapo-p300/ and https://www.tp-link.com/en/support/download/tapo-p300/), and Tapo D100C to 1.3.1 Build 260421 Rel.031658. Because the vulnerability is exploitable only during initial setup, the most effective compensating control for unpatched units is to perform provisioning in a Bluetooth-quiet environment (e.g., away from windows, neighbors, and public spaces) and to power-cycle and re-provision any device previously set up in an untrusted location with the patched firmware preloaded; the trade-off is added friction and the need to physically verify radio isolation. Factory-resetting an already-deployed device without first updating firmware would re-expose the same cleartext window, so always apply the firmware update before any re-pairing operation.

CVE-2015-3035 HIGH POC
7.5 Apr 22

Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before

CVE-2013-2578 CRITICAL POC
10.0 Oct 11

cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models be

CVE-2021-41653 CRITICAL POC
9.8 Nov 13

The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to r

CVE-2022-25061 CRITICAL POC
9.8 Feb 25

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_set

CVE-2015-3036 CRITICAL POC
10.0 May 21

Stack-based buffer overflow in the run_init_sbus function in the KCodes NetUSB module for the Linux kernel, as used in c

CVE-2012-5687 HIGH POC
7.8 Nov 01

Directory traversal vulnerability in the web-based management feature on the TP-LINK TL-WR841N router with firmware 3.13

CVE-2022-25060 CRITICAL POC
9.8 Feb 25

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_sta

CVE-2025-9377 HIGH
8.6 Aug 29

TP-Link Archer C7 and TL-WR841N routers contain an authenticated remote command execution vulnerability in the Parental

CVE-2024-57049 CRITICAL POC
9.8 Feb 18

A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized indi

CVE-2017-13772 HIGH POC
8.8 Oct 23

Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated

CVE-2022-25064 CRITICAL POC
9.8 Feb 25

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the functio

CVE-2022-30075 HIGH POC
8.8 Jun 09

In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote

Share

CVE-2026-34126 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy