Denial-of-Service Vulnerability in TP-Link Tapo C520WS
CVE-2026-34124

7.1HIGH

Key Information:

Vendor

Tp-link Systems Inc.

Status
Tapo C520ws V2.6
Vendor
CVE Published:
2 April 2026

What is CVE-2026-34124?

A denial-of-service vulnerability exists in TP-Link Tapo C520WS v2.6 due to improper handling of HTTP request path parsing. The device enforces length restrictions on raw request paths but fails to account for path expansion that occurs during normalization. This flaw allows an attacker on the same network to send a specially crafted HTTP request, potentially resulting in buffer overflow and memory corruption. Such exploitation can lead to service interruptions or unexpected device reboots, compromising the functionality of the affected device.

Affected Version(s)

Tapo C520WS v2.6 0 < 1.2.4 Build 260326 Rel.24666n

References

https://www.tp-link.com/us/support/download/tapo-c520ws/#...
patch
https://www.tp-link.com/en/support/download/tapo-c520ws/#...
patch
https://www.tp-link.com/us/support/faq/5047/
vendor-advisory

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.