An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here.

This report describes an authentication bypass vulnerability in the HTTP server implementation.

The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2026-34121.

Vulnerability Details

In the TAPO architecture, the DS module of the HTTP server running on the device is used for storing persistent configurations (]and other, dynamically generated content and also for performing actions on the device. The HTTP server also has an authorization pass to enforce login, but not all actions require login:

  • onboarding is used before/during linking to a cloud account or the device, so there is no user/password/… to authorize against
  • login is used for providing an authorization token (stok, session token) based on account information

The implementation uses 3 “passes” to handle DS. The first pass checks what kind of action to take. The second pass checks the session’s login state, if authorization is required, based on the previous pass result. The third pass executes the actual query.

Even though there can be multiple types of actions, only one action is stored. Specifically, due to parsing differentials, the first pass only stores the last action in iteration order (which matches the JSON object serialization order).

This way, a malicously formed JSON request can bypass the authorization check, and the query gets executed.

Affected Devices

  • verified: TAPO C520WS
  • potentially: TP-Link smart devices using the TAPO architecture

Timeline

  • 2025.12.12. Vulnerability reported to TP-Link PSIRT by email.
  • 2026.02.04. TP-Link acknowledges the report.
  • 2026.03.04. TP-Link confirms vulnerability and asks for time extension. TP-Link also provides erroneous analysis for several other reported vulnerabilities.
  • 2026.03.04. TASZK provides update explaining the errors in TP-Link’s assessment regarding other reported vulnerabilities, describing which CVE assignment and advisory detail assessments are incorrect.
  • 2026.03.05. TP-Link again asks for a 3 week extension, does not confirm any TASZK analysis.
  • 2026.03.06. TASZK confirms that a 3 week extension will be granted for vulnerabilities where a CVE assignment and/or Advisory correction will happen.
  • 2026.03.20. TP-Link communicates that this vulnerability (along with some reported at the time) have been fixed and wishes TASZK to provide a black box analysis of a new firmware image. TP-Link does not confirm which submitted vulnerabilities will receive a CVE and/or Advisory correction but ask for another arbitrary extension for only 1 vulnerability.
  • 2026.03.23. TASZK confirms that the 3 week extension will be granted if the list of vulnerabilities that are receiving a CVE and/or Advisory correction will be shared, otherwise no other extension will be granted.
  • 2026.03.26-04.01. TP-Link attempts to get in touch via several non-official channels, including an attempt to show up at our offices in person uninvited. TP-Link requests additional delay for different vulnerabilities.
  • 2026.04.02. End date of original 90 day + 3 week embargo. TASZK highlights that the PSIRT keeps sending plaintext emails with sensitive vulnerability information, points out that non-PSIRT channels are considered out-of-bounds for coordinated disclosure and confirms that embargo windows will not be extended further. TASZK volunteers a 24h notice to TP-Link for advisory release.
  • 2026.04.02. TP-Link releases advisory for the vulnerability: https://www.tp-link.com/us/support/faq/5047/
  • 2026.04.06. TASZK communicates notice of release to TP-Link.
  • 2026.04.28. Advisory released.