CVE-2026-34121
Published: 02 April 2026
Summary
CVE-2026-34121 is a high-severity Improper Authentication (CWE-287) vulnerability in Tp-Link Tapo C520Ws Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Strictly defines and limits actions performable without identification or authentication, directly preventing exploitation of authentication-exempt actions appended to privileged JSON requests.
Enforces approved authorizations for access, mitigating the inconsistent authorization logic that bypasses checks on privileged DS 'do' actions.
Validates JSON request inputs to ensure consistent parsing and reject unauthorized action appendages during HTTP handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass vulnerability in HTTP configuration service allows unauthenticated attackers to exploit a public-facing web application on the device for unauthorized privileged action execution.
NVD Description
An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt…
more
action to a request containing privileged DS do actions, bypassing authorization checks. Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.
Deeper analysisAI
CVE-2026-34121 is an authentication bypass vulnerability in the HTTP handling of the DS configuration service within TP-Link Tapo C520WS firmware version 2.6. The issue stems from inconsistent parsing and authorization logic during authentication checks on JSON requests, allowing an unauthenticated attacker to append an authentication-exempt action to a request containing privileged DS "do" actions, thereby bypassing authorization controls. Published on April 2, 2026, it carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-287 (Improper Authentication).
An attacker on an adjacent network (AV:A) with low attack complexity and no required privileges (PR:N) can exploit this vulnerability without user interaction. Successful exploitation enables unauthenticated execution of restricted configuration actions on the device, potentially leading to unauthorized modification of the device state, with high impacts on confidentiality, integrity, and availability.
TP-Link advisories recommend mitigation through firmware updates, with release notes and patches available on their support pages, including https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes, https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes, and https://www.tp-link.com/us/support/faq/5047/. Security practitioners should verify and apply the latest firmware to affected Tapo C520WS devices.
Details
- CWE(s)