{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34121", "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630", "state": "PUBLISHED", "assignerShortName": "TPLink", "dateReserved": "2026-03-25T18:54:03.343Z", "datePublished": "2026-04-02T17:20:06.705Z", "dateUpdated": "2026-04-02T17:58:52.376Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630", "shortName": "TPLink", "dateUpdated": "2026-04-02T17:20:06.705Z"}, "title": "Authentication Bypass in DS Configuration Service via HTTP Request Parsing Differential of TP-Link Tapo C520WS", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "type": "CWE"}]}], "affected": [{"vendor": "TP-Link Systems Inc.", "product": "Tapo C520WS v2.6", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2.4 Build 260326 Rel.24666n", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks.\n\nSuccessful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks.\n<br>Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.&nbsp;<br>"}]}], "references": [{"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes", "tags": ["patch"]}, {"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes", "tags": ["patch"]}, {"url": "https://www.tp-link.com/us/support/faq/5047/", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T17:58:42.273820Z", "id": "CVE-2026-34121", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:58:52.376Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34121", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T17:58:42.273820Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T17:58:47.830Z"}}], "cna": {"title": "Authentication Bypass in DS Configuration Service via HTTP Request Parsing Differential of TP-Link Tapo C520WS", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "TP-Link Systems Inc.", "product": "Tapo C520WS v2.6", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2.4 Build 260326 Rel.24666n", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes", "tags": ["patch"]}, {"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes", "tags": ["patch"]}, {"url": "https://www.tp-link.com/us/support/faq/5047/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks.\n\nSuccessful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.", "supportingMedia": [{"type": "text/html", "value": "An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks.\n<br>Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.&nbsp;<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630", "shortName": "TPLink", "dateUpdated": "2026-04-02T17:20:06.705Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34121", "state": "PUBLISHED", "dateUpdated": "2026-04-02T17:58:52.376Z", "dateReserved": "2026-03-25T18:54:03.343Z", "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630", "datePublished": "2026-04-02T17:20:06.705Z", "assignerShortName": "TPLink"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tp-link:tapo_c520ws_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "710DD89A-E94F-4371-A03F-698C2F61D9C1", "versionEndExcluding": "1.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tp-link:tapo_c520ws:2.6:*:*:*:*:*:*:*", "matchCriteriaId": "72666951-E72F-4494-9A90-1F0B22E2F3CD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks.\n\nSuccessful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state."}], "id": "CVE-2026-34121", "lastModified": "2026-04-06T20:24:48.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary"}]}, "published": "2026-04-02T18:16:28.990", "references": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Release Notes"], "url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"}, {"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Release Notes"], "url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"}, {"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Vendor Advisory"], "url": "https://www.tp-link.com/us/support/faq/5047/"}], "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.2.4 Build 260326 Rel.24666n)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 81.0, "source": "matching"}]}, "original": {"product": "Tapo C520WS v2.6", "source": "cna", "vendor": "TP-Link Systems Inc."}, "product": "tapo_c520ws_v2", "vendor": "tp-link"}], "analysis": {"en": {"generated_at": "2026-04-07T02:53:45.690368+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update from TP\u2011Link\u2019s official website, ensuring the device runs a version newer than 2.6.", "If an update is not available, restrict or block access to the DS configuration service by disabling it in the device settings or by configuring device\u2011level firewall rules to deny external HTTP traffic.", "After updating or disabling the service, verify that authentication checks for configuration actions are properly enforced by attempting to run privileged commands without authentication, confirming that the bypass no longer occurs.", "Segment the network so that only trusted devices can communicate with the Tapo C520WS, and monitor HTTP traffic for suspicious or malformed requests that may indicate exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Configuration Modification"}, "threat_synthesis": {"affected_systems": "The vulnerability affects TP\u2011Link Tapo C520WS devices running firmware version 2.6. No other TP\u2011Link products or firmware versions are listed as impacted in the available data.", "description_and_impact": "An authentication bypass flaw exists in the DS configuration service of the TP\u2011Link Tapo C520WS firmware. The HTTP handler processes JSON requests inconsistently, allowing an attacker to append an authentication\u2011exempt action to a privileged request. The firmware then treats the request as authenticated and executes configuration changes that normally require authorization. This results in unauthorized modification of device settings, potentially altering device behavior without the owner\u2019s consent.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates a high severity vulnerability. The EPSS score of less than 1\u202f% suggests that the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be network\u2011based: an unauthenticated attacker must be able to send crafted HTTP/JSON requests to the device to exploit the faulty request parsing and authorization logic."}}}}, "created": "2026-04-03T08:58:09.328583+00:00", "updated": "2026-04-07T07:55:48.078779+00:00", "vendors": ["tp-link", "tp-link$PRODUCT$tapo_c520ws_v2"]}