Description
On Tapo
C520WS v2, restricted accounts (for example, hub users) are intended to execute
only a limited set of low‑sensitivity operations. Due to a logic flaw in the
device’s API authorization mechanism, an attacker can craft requests that
leverage legitimate “method mapping” behavior to bypass whitelist restrictions,
allowing restricted operations to be masked as permitted requests and executed.





Successful
exploitation may allow an attacker (with access to a restricted account) to
execute unauthorized sensitive operations. 
Depending on the operation invoked, impact could include device
resets, unintended configuration changes, or disruption of normal operation,
leading to loss of availability and integrity of the device.
Published: 2026-06-05
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from a logic flaw in the device’s API authorization mechanism that permits an attacker to craft requests that map legitimate methods to bypass whitelist restrictions. As a result, a restricted account can execute operations that it should not be allowed to, such as resetting the device, altering configuration settings, or disrupting normal operation. The effect is loss of device availability and integrity, effectively granting an attacker partial privileged control over the device. The weakness corresponds to improper authorization, matching CWE‑287.

Affected Systems

The affected product is the TP‑Link Tapo C520WS v2. Only the second generation model of the Tapo C520WS running the original firmware is impacted; newer firmware revisions that have addressed the flaw are not mentioned in the supplied information.

Risk and Exploitability

The CVSS score of 7 indicates a high severity. For an attacker who already has credentials or access to a restricted account, the vulnerability can be leveraged via the device’s public API or local network interfaces. Although no EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, the absence of exploitation data does not lower the risk, since the necessary resources to craft malicious requests are available through the exposed API and a logical bypass of the whitelist.

Generated by OpenCVE AI on June 6, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update that corrects the API authorization flaw and restores proper whitelist enforcement.
  • Restrict external access to the device’s API by configuring firewall rules or VPN so that only trusted networks can interact with restricted accounts.
  • Disable or remove restricted user accounts from the device, or configure them to require multifactor authentication and limit their privileges, thereby reducing the impact if an attacker obtains credentials.

Generated by OpenCVE AI on June 6, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description On Tapo C520WS v2, restricted accounts (for example, hub users) are intended to execute only a limited set of low‑sensitivity operations. Due to a logic flaw in the device’s API authorization mechanism, an attacker can craft requests that leverage legitimate “method mapping” behavior to bypass whitelist restrictions, allowing restricted operations to be masked as permitted requests and executed. Successful exploitation may allow an attacker (with access to a restricted account) to execute unauthorized sensitive operations.  Depending on the operation invoked, impact could include device resets, unintended configuration changes, or disruption of normal operation, leading to loss of availability and integrity of the device.
Title Whitelist Validation Bypass in TP-Link Tapo C520WS
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-05T23:50:40.407Z

Reserved: 2026-03-25T18:54:03.343Z

Link: CVE-2026-34123

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T00:16:40.833

Modified: 2026-06-06T00:16:40.833

Link: CVE-2026-34123

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T01:30:06Z

Weaknesses