CVE-2026-34123 (GCVE-0-2026-34123)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:50 – Updated: 2026-06-05 23:50
VLAI
Title
Whitelist Validation Bypass in TP-Link Tapo C520WS
Summary
On Tapo
C520WS v2, restricted accounts (for example, hub users) are intended to execute
only a limited set of low‑sensitivity operations. Due to a logic flaw in the
device’s API authorization mechanism, an attacker can craft requests that
leverage legitimate “method mapping” behavior to bypass whitelist restrictions,
allowing restricted operations to be masked as permitted requests and executed.
Successful
exploitation may allow an attacker (with access to a restricted account) to
execute unauthorized sensitive operations.
Depending on the operation invoked, impact could include device
resets, unintended configuration changes, or disruption of normal operation,
leading to loss of availability and integrity of the device.
Severity
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOn Tapo\nC520WS v2, restricted accounts (for example, hub users) are intended to execute\nonly a limited set of low\u2011sensitivity operations. Due to a logic flaw in the\ndevice\u2019s API authorization mechanism, an attacker can craft requests that\nleverage legitimate \u201cmethod mapping\u201d behavior to bypass whitelist restrictions,\nallowing restricted operations to be masked as permitted requests and executed.\u003c/p\u003e\n\n\u003cp\u003eSuccessful\nexploitation may allow an attacker (with access to a restricted account) to\nexecute \u003cb\u003eunauthorized sensitive operations.\u0026nbsp;\n\u003c/b\u003eDepending on the operation invoked, impact could include device\nresets, unintended configuration changes, or disruption of normal operation,\nleading to loss of availability and integrity of the device.\u003c/p\u003e"
}
],
"value": "On Tapo\nC520WS v2, restricted accounts (for example, hub users) are intended to execute\nonly a limited set of low\u2011sensitivity operations. Due to a logic flaw in the\ndevice\u2019s API authorization mechanism, an attacker can craft requests that\nleverage legitimate \u201cmethod mapping\u201d behavior to bypass whitelist restrictions,\nallowing restricted operations to be masked as permitted requests and executed.\n\n\n\n\n\nSuccessful\nexploitation may allow an attacker (with access to a restricted account) to\nexecute unauthorized sensitive operations.\u00a0\nDepending on the operation invoked, impact could include device\nresets, unintended configuration changes, or disruption of normal operation,\nleading to loss of availability and integrity of the device."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:50:40.407Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Whitelist Validation Bypass in TP-Link Tapo C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-34123",
"datePublished": "2026-06-05T23:50:40.407Z",
"dateReserved": "2026-03-25T18:54:03.343Z",
"dateUpdated": "2026-06-05T23:50:40.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-34123\",\"sourceIdentifier\":\"f23511db-6c3e-4e32-a477-6aa17d310630\",\"published\":\"2026-06-06T00:16:40.833\",\"lastModified\":\"2026-06-06T00:16:40.833\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"On Tapo\\nC520WS v2, restricted accounts (for example, hub users) are intended to execute\\nonly a limited set of low\u2011sensitivity operations. Due to a logic flaw in the\\ndevice\u2019s API authorization mechanism, an attacker can craft requests that\\nleverage legitimate \u201cmethod mapping\u201d behavior to bypass whitelist restrictions,\\nallowing restricted operations to be masked as permitted requests and executed.\\n\\n\\n\\n\\n\\nSuccessful\\nexploitation may allow an attacker (with access to a restricted account) to\\nexecute unauthorized sensitive operations.\u00a0\\nDepending on the operation invoked, impact could include device\\nresets, unintended configuration changes, or disruption of normal operation,\\nleading to loss of availability and integrity of the device.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"f23511db-6c3e-4e32-a477-6aa17d310630\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"f23511db-6c3e-4e32-a477-6aa17d310630\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes\",\"source\":\"f23511db-6c3e-4e32-a477-6aa17d310630\"},{\"url\":\"https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes\",\"source\":\"f23511db-6c3e-4e32-a477-6aa17d310630\"},{\"url\":\"https://www.tp-link.com/us/support/faq/5120/\",\"source\":\"f23511db-6c3e-4e32-a477-6aa17d310630\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…