Security Advisory: Multiple Vulnerabilities on TP-Link Tapo C520WS (CVE-2026-6239, CVE-2026-6240, CVE-2026-6241, CVE-2026-6242, CVE-2026-34123)

We identified the following vulnerabilities on Tapo C520WS v2:

Description of Vulnerabilities and Impacts:

CVE-2026-6239: Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service

A stack‑based buffer overflow vulnerability exists in the ONVIF CreateUsers service, where the device fails to properly validate the number of XML user nodes during request processing. An authenticated attacker can send a specially crafted ONVIF request containing an excessive number of user entries to trigger memory corruption.

Successful exploitation may cause the ONVIF management service to terminate unexpectedly, resulting in a denial‑of‑service (DoS) condition that disrupts device configuration and management functions.

CVE-2026-6240: Authenticated Stack-based Buffer Overflow in ONVIF DeleteUsers Service

A stack‑based buffer overflow vulnerability exists in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory.

Successful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality.

CVE-2026-6241: Authenticated Format String Vulnerability in ONVIF AddScopes Method

An authenticated format string vulnerability is present in the ONVIF AddScopes, where user‑controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior.

Successful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation.

CVE-2026-6242: Authenticated Format String Vulnerability in ONVIF Subscribe Service

An authenticated format string vulnerability exists in the ONVIF Subscribe service due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution.

Successful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications.

The above 4 CVEs (CVE-2026-6239 to CVE-2026-6242) share the same CVSS scores and ratings:

CVSS v4.0 Score: 6.8/ Medium

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE-2026-34123: Whitelist Validation Bypass in Tapo C520WS

On the device, restricted accounts (for example, hub users) are intended to execute only a limited set of low‑sensitivity operations. Due to a logic flaw in the device’s API authorization mechanism, an attacker can craft requests that leverage legitimate “method mapping” behavior to bypass whitelist restrictions, allowing restricted operations to be masked as permitted requests and executed.

Successful exploitation may allow an attacker (with access to a restricted account) to execute unauthorized sensitive operations. Depending on the operation invoked, impact could include device resets, unintended configuration changes, or disruption of normal operation, leading to loss of availability and integrity of the device.

CVSS v4.0 Score: 7.0/ High

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Affected Products/Versions and Fixes

Recommendations

TP-Link strongly recommends that users with affected devices take the following actions:

1. Update the affected devices to the latest firmware version that fixed the vulnerability:

US: Download for Tapo C520WS | TP-Link

EN: Download for Tapo C520WS | TP-Link

Disclaimer:

This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers promptly apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable, and TP-Link disclaims any responsibility or liability for any damages or losses arising from a failure to implement such updates.