CVE-2026-34123

June 6, 2026, 12:16 a.m.

7.0
Medium

Description

On Tapo C520WS v2, restricted accounts (for example, hub users) are intended to execute only a limited set of low‑sensitivity operations. Due to a logic flaw in the device’s API authorization mechanism, an attacker can craft requests that leverage legitimate “method mapping” behavior to bypass whitelist restrictions, allowing restricted operations to be masked as permitted requests and executed. Successful exploitation may allow an attacker (with access to a restricted account) to execute unauthorized sensitive operations.  Depending on the operation invoked, impact could include device resets, unintended configuration changes, or disruption of normal operation, leading to loss of availability and integrity of the device.

Product(s) Impacted

Vendor Product Versions
Tapo
  • Tapo C520ws
  • v2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a tapo tapo_c520ws v2 / / / / / / /

References

https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes
https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes
https://www.tp-link.com/us/support/faq/5120/

Tags

CWE-287
f23511db-6c3e-4e32-a477-6aa17d310630
2026-06-06
CVE-2026-34123

CVSS Score

7.0 / 10

CVSS Data - 4.0

  • Attack Vector: ADJACENT
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 6, 2026, 12:16 a.m.
Last Modified: June 6, 2026, 12:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

f23511db-6c3e-4e32-a477-6aa17d310630

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.