CVE-2026-34121

High

Published: 02 April 2026

Published

02 April 2026

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 38.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt…

action to a request containing privileged DS do actions, bypassing authorization checks. Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Strictly defines and limits actions performable without identification or authentication, directly preventing exploitation of authentication-exempt actions appended to privileged JSON requests.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access, mitigating the inconsistent authorization logic that bypasses checks on privileged DS 'do' actions.

SI-10 Information Input Validation good match

prevent

Validates JSON request inputs to ensure consistent parsing and reject unauthorized action appendages during HTTP handling.

Security SummaryAI

CVE-2026-34121 is an authentication bypass vulnerability in the HTTP handling of the DS configuration service within TP-Link Tapo C520WS firmware version 2.6. The issue stems from inconsistent parsing and authorization logic during authentication checks on JSON requests, allowing an unauthenticated attacker to append an authentication-exempt action to a request containing privileged DS "do" actions, thereby bypassing authorization controls. Published on April 2, 2026, it carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-287 (Improper Authentication).

An attacker on an adjacent network (AV:A) with low attack complexity and no required privileges (PR:N) can exploit this vulnerability without user interaction. Successful exploitation enables unauthenticated execution of restricted configuration actions on the device, potentially leading to unauthorized modification of the device state, with high impacts on confidentiality, integrity, and availability.

TP-Link advisories recommend mitigation through firmware updates, with release notes and patches available on their support pages, including https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes, https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes, and https://www.tp-link.com/us/support/faq/5047/. Security practitioners should verify and apply the latest firmware to affected Tapo C520WS devices.

Details

CWE(s): CWE-287

Affected Products

tp-link

tapo c520ws firmware

≤ 1.2.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authentication bypass vulnerability in HTTP configuration service allows unauthenticated attackers to exploit a public-facing web application on the device for unauthorized privileged action execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes
Release Notes · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes
Release Notes · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/faq/5047/
Vendor Advisory · f23511db-6c3e-4e32-a477-6aa17d310630