PatchSiren cyber security CVE debrief
CVE-2026-34123 TP-Link Systems Inc. CVE debrief
A logic flaw in the Tapo C520WS v2 device's API authorization mechanism allows restricted account users to execute unauthorized sensitive operations. The vulnerability, with a CVSS score of 7 and HIGH severity, enables attackers to bypass whitelist restrictions by crafting requests that leverage legitimate 'method mapping' behavior, potentially leading to device resets, unintended configuration changes, or disruption of normal operation.
- Vendor
- TP-Link Systems Inc.
- Product
- Tapo C520WS v2
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Users of Tapo C520WS v2, especially those with restricted accounts, should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by a logic flaw in the device's API authorization mechanism, allowing restricted operations to be masked as permitted requests and executed. This could lead to loss of availability and integrity of the device.
Defensive priority
HIGH
Recommended defensive actions
- Apply firmware updates from the vendor as soon as available.
- Restrict access to the device's API.
- Monitor device activity for suspicious behavior.
Evidence notes
The vendor is listed as Unknown Vendor, but evidence suggests the product is from Tp Link.
Official resources
-
CVE-2026-34123 CVE record
CVE.org
-
CVE-2026-34123 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
f23511db-6c3e-4e32-a477-6aa17d310630
-
Source reference
f23511db-6c3e-4e32-a477-6aa17d310630
-
Source reference
f23511db-6c3e-4e32-a477-6aa17d310630
CVE-2026-34123 was published on 2026-06-06T00:16:40.833Z and modified on 2026-06-08T15:01:06.580Z.