cvedb.io
CVE-2026-34121
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-04-02T18:16:28.990 · Last modified 2026-06-17T10:38:34.027

Summary

An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks. Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.

Affected products

tp-link — tapo_c520ws_firmware

Does this affect you?

Add your gear to cvedb and we'll alert you only when tp-link ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.