Description
TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.

An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. 


An attacker
within the Bluetooth range could exploit this behavior using Bluetooth sniffing
or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth
communication, manipulate transmitted setup data and potentially gain
unauthorized control of the device during initialization.



D100C is the
chime delivered with your Tapo camera, and it is delivered with the following
Tapo products:









D130, D210, D235,
D225, TD21, TDB21 and TD25
Published: 2026-05-28
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cleartext Bluetooth channel is used by TP-Link Tapo devices during the initial setup phase. The transmitted data can be captured or altered by an attacker who is within Bluetooth range. Such interception or modification may allow the attacker to obtain sensitive information or to substitute configuration parameters and thereby gain unauthorized control of the device. The weakness corresponds to CWE-319, the failure to protect data in transit.

Affected Systems

TP-Link Systems Inc. devices affected include the Tapo D100C (v1.0), the Tapo L535E (v1.0 and v3.0), and the Tapo P300 (v1.0).

Risk and Exploitability

The CVSS score of 7.3 places this vulnerability in the high severity range, though an EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog. Because the exploit requires proximity, the attack vector is local; a malicious actor within a few meters of the device can perform Bluetooth sniffing or a man‑in‑the‑middle attack to eavesdrop or inject setup data. The potential impact ranges from information disclosure to full device takeover during its brief initial setup window.

Generated by OpenCVE AI on May 28, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to the latest version that implements encryption for Bluetooth setup traffic; check the TP‑Link support pages for each product for update details.
  • If a patch is not yet available, postpone the initial setup in environments where nearby Bluetooth devices could be compromised, or limit the setup area to a trusted, isolated location.
  • After the device has been successfully set up, disable or block Bluetooth functionality on the device to reduce the attack surface, and re‑pair only with devices in a secure environment when re‑initialization is required.

Generated by OpenCVE AI on May 28, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.  An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products: D130, D210, D235, D225, TD21, TDB21 and TD25
Title Bluetooth Communication Uses Unencrypted Transmission During Initial Setup on TP-Link's Tapo L535E, P300 and D100C
Weaknesses CWE-319
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-05-28T19:25:53.717Z

Reserved: 2026-03-25T18:54:03.343Z

Link: CVE-2026-34126

cve-icon Vulnrichment

Updated: 2026-05-28T19:25:49.248Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T18:16:31.300

Modified: 2026-05-28T18:38:35.797

Link: CVE-2026-34126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:30:16Z

Weaknesses