CVE-2026-34121 in Tapo C520WS
摘要 (英语)
An authentication bypass vulnerability within the HTTP handling of the DS configuration service in TP-Link Tapo C520WS v2.6 was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks.
Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
负责
TPLink
预定
2026-03-25
披露
2026-04-02
状态
已确认
条目
VulDB provides additional information and datapoints for this CVE:
| 标识符 | 漏洞 | CWE | 可利用 | 对策 | CVE |
|---|---|---|---|---|---|
| 354962 | TP-Link Tapo C520WS HTTP 弱身份验证 | 287 | 未定义 | 未定义 | CVE-2026-34121 |