Description
An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks.

Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.
Published: 2026-04-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Modification
Action: Apply Patch
AI Analysis

Impact

An authentication bypass flaw exists in the DS configuration service of the TP‑Link Tapo C520WS firmware. The HTTP handler processes JSON requests inconsistently, allowing an attacker to append an authentication‑exempt action to a privileged request. The firmware then treats the request as authenticated and executes configuration changes that normally require authorization. This results in unauthorized modification of device settings, potentially altering device behavior without the owner’s consent.

Affected Systems

The vulnerability affects TP‑Link Tapo C520WS devices running firmware version 2.6. No other TP‑Link products or firmware versions are listed as impacted in the available data.

Risk and Exploitability

The CVSS base score of 8.7 indicates a high severity vulnerability. The EPSS score of less than 1 % suggests that the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be network‑based: an unauthenticated attacker must be able to send crafted HTTP/JSON requests to the device to exploit the faulty request parsing and authorization logic.

Generated by OpenCVE AI on April 7, 2026 at 02:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from TP‑Link’s official website, ensuring the device runs a version newer than 2.6.
  • If an update is not available, restrict or block access to the DS configuration service by disabling it in the device settings or by configuring device‑level firewall rules to deny external HTTP traffic.
  • After updating or disabling the service, verify that authentication checks for configuration actions are properly enforced by attempting to run privileged commands without authentication, confirming that the bypass no longer occurs.
  • Segment the network so that only trusted devices can communicate with the Tapo C520WS, and monitor HTTP traffic for suspicious or malformed requests that may indicate exploitation attempts.

Generated by OpenCVE AI on April 7, 2026 at 02:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link tapo C520ws
Tp-link tapo C520ws Firmware
CPEs cpe:2.3:h:tp-link:tapo_c520ws:2.6:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c520ws_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tp-link tapo C520ws
Tp-link tapo C520ws Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tapo C520ws V2
Vendors & Products Tp-link
Tp-link tapo C520ws V2

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks. Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.
Title Authentication Bypass in DS Configuration Service via HTTP Request Parsing Differential of TP-Link Tapo C520WS
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Tp-link Tapo C520ws Tapo C520ws Firmware Tapo C520ws V2
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-04-02T17:58:52.376Z

Reserved: 2026-03-25T18:54:03.343Z

Link: CVE-2026-34121

cve-icon Vulnrichment

Updated: 2026-04-02T17:58:47.830Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:28.990

Modified: 2026-04-06T20:24:48.170

Link: CVE-2026-34121

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:48Z

Weaknesses