Logic Flaw in Tapo C520WS v2 API Authorization Mechanism
CVE-2026-34123

7HIGH

Key Information:

Vendor: Tp-link Systems Inc.
Status: Tapo C520ws V2
Vendor: CVE Published:; 5 June 2026

🔔 Create Tp-link Systems Inc. Vulnerability Alert

What is CVE-2026-34123?

A logic flaw in the API authorization mechanism of the Tapo C520WS v2 allows restricted accounts, such as hub users, to perform unauthorized operations. By exploiting this vulnerability, an attacker can craft requests that bypass the intended whitelist restrictions. This permits execution of sensitive operations, which could lead to device resets, configuration changes, and disruptions to normal functionality, consequently causing loss of availability and integrity.