CVE-2026-34123

Published: Giu 06, 2026 Last Modified: Giu 06, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,0

Source: f23511db-6c3e-4e32-a477-6aa17d310630

Attack Vector: adjacent

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

On Tapo
C520WS v2, restricted accounts (for example, hub users) are intended to execute
only a limited set of low‑sensitivity operations. Due to a logic flaw in the
device’s API authorization mechanism, an attacker can craft requests that
leverage legitimate “method mapping” behavior to bypass whitelist restrictions,
allowing restricted operations to be masked as permitted requests and executed.

Successful
exploitation may allow an attacker (with access to a restricted account) to
execute unauthorized sensitive operations.
Depending on the operation invoked, impact could include device
resets, unintended configuration changes, or disruption of normal operation,
leading to loss of availability and integrity of the device.

287

Improper Authentication

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability Access Control

Potential Impacts:

Read Application Data Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands

Applicable Platforms

Technologies: Not Technology-Specific, Web Based, ICS/OT

Likelihood of Exploit: High

View CWE Details

https://www.tp-link.com/en/support/download/tapo-c520ws/#Fi…

https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes

https://www.tp-link.com/us/support/download/tapo-c520ws/#Fi…

https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes

https://www.tp-link.com/us/support/faq/5120/

CVE-2026-34123

Description

Improper Authentication

Common Consequences

Applicable Platforms

Iscriviti alla newsletter