Description
A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed during normalization. An attacker on the adjacent network may send a crafted HTTP request to cause buffer overflow and memory corruption, leading to system interruption or device reboot.
Published: 2026-04-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The flaw lies in TP‑Link Tapo C520WS v2.6’s HTTP request path‑parsing module. The implementation enforces a maximum length on the raw request path but fails to account for the expansion that occurs during URI normalization. This oversight allows an attacker to send a specially crafted HTTP request that overflows a buffer, corrupts memory, and ultimately interrupts the device’s operation or forces a reboot.

Affected Systems

Only the TP‑Link Tapo C520WS camera running firmware v2.6 is affected. The vulnerability is tied to the device’s HTTP service and would be exploitable by an adversary who can communicate with the camera over the local network.

Risk and Exploitability

The CVSS score of 7.1 indicates substantial impact, yet the EPSS score is below 1 % and the weakness is not listed in the CISA KEV catalog. The likely attack vector is local network access; an attacker must be able to transmit HTTP traffic to the device, making it most relevant for unmanaged or poorly segmented networks.

Generated by OpenCVE AI on April 7, 2026 at 01:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Tapo C520WS firmware to the latest version, as documented in TP‑Link’s release notes, to eliminate the path‑expansion overflow.
  • Enforce network segmentation so that the camera’s HTTP interface is only reachable from trusted segments or the local home network.
  • If updating is not immediately possible, disable or block external HTTP access to the device through firewall rules or by disabling the HTTP service in the camera’s settings.

Generated by OpenCVE AI on April 7, 2026 at 01:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link tapo C520ws
Tp-link tapo C520ws Firmware
CPEs cpe:2.3:h:tp-link:tapo_c520ws:2.6:*:*:*:*:*:*:*
cpe:2.3:o:tp-link:tapo_c520ws_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tp-link tapo C520ws
Tp-link tapo C520ws Firmware
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tapo C520ws V2
Vendors & Products Tp-link
Tp-link tapo C520ws V2

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed during normalization. An attacker on the adjacent network may send a crafted HTTP request to cause buffer overflow and memory corruption, leading to system interruption or device reboot.
Title Denial of Service via Path Expansion Overflow in HTTP Service in TP-Link Tapo C520WS
Weaknesses CWE-120
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tp-link Tapo C520ws Tapo C520ws Firmware Tapo C520ws V2
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-04-03T13:05:50.590Z

Reserved: 2026-03-25T18:54:03.343Z

Link: CVE-2026-34124

cve-icon Vulnrichment

Updated: 2026-04-03T13:05:46.747Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:29.310

Modified: 2026-04-06T20:22:38.030

Link: CVE-2026-34124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:46Z

Weaknesses