Multiple TP-Link Tapo C520WS flaws can let nearby attackers crash cameras or bypass auth

TP-Link has disclosed several high-severity vulnerabilities affecting the Tapo C520WS v2.6 smart camera, and the most serious one can let an unauthenticated attacker on the same network bypass authorization and make restricted configuration changes. TP-Link’s advisory says the bugs also include multiple denial-of-service issues that can crash services, freeze the device, or force a reboot.

The top issue is CVE-2026-34121, which TP-Link rates 8.7 under CVSS v4.0. According to the company, the flaw sits in the DS configuration service and comes from inconsistent parsing and authorization logic in JSON requests, allowing an attacker to append an authentication-exempt action to a privileged request and bypass checks.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The other disclosed flaws mostly center on memory handling bugs that can trigger denial-of-service conditions. TP-Link says CVE-2026-34118, CVE-2026-34119, CVE-2026-34120, CVE-2026-34122, and CVE-2026-34124 can all let an adjacent attacker crash processes or interrupt the device through crafted HTTP, configuration, or streaming input.

What the TP-Link advisory confirms

TP-Link says the affected product is the Tapo C520WS v2.6 running firmware earlier than 1.2.4 Build 260326 Rel.24666n. That makes the fix straightforward in theory, since the company has already published patched firmware and tells users to update through its official download channels.

The three heap-based overflow bugs, CVE-2026-34118 through CVE-2026-34120, each carry a CVSS v4.0 score of 7.1. TP-Link says they stem from weak boundary validation during HTTP POST handling, segmented request processing, or asynchronous local video stream parsing.

TP-Link also lists CVE-2026-34122 as a stack-based buffer overflow in the DS configuration service and CVE-2026-34124 as a path expansion overflow in HTTP request parsing. The company says both can lead to denial-of-service conditions, including service crashes, system interruption, or device reboot.

Why this matters for users

These bugs do not appear to target internet-wide remote exploitation from anywhere on the web. TP-Link repeatedly describes the attack path as coming from an attacker on the same or adjacent network segment, which lowers the exposure somewhat but still creates real risk for homes, offices, shared Wi-Fi environments, and any place where network trust is too broad.

For a security camera, even a simple denial-of-service bug matters. If the camera crashes or reboots during an attack, the result can be a surveillance blind spot at the exact moment an attacker wants visibility to disappear. That is an inference from TP-Link’s stated impact that the bugs can cause service crashes or device reboots.

The authentication bypass raises the bigger red flag. If exploited successfully, it can let an unauthenticated nearby attacker change restricted settings without valid credentials, which goes beyond nuisance-level disruption and enters unauthorized device control territory.

Vulnerabilities at a glance

Source: TP-Link security advisory.

What affected users should do now

• Check whether your camera is a <strong>Tapo C520WS v2.6</strong>.
• Update to firmware <strong>1.2.4 Build 260326 Rel.24666n</strong> or newer.
• Use TP-Link’s official firmware page or the Tapo app to install the update.
• Avoid leaving the camera on untrusted or shared local networks until you patch it.
• Review device settings after updating if you suspect someone had local network access.

FAQ