TP-Link has issued a formal security advisory disclosing five authenticated vulnerabilities, CVE-2026-6239, CVE-2026-6240, CVE-2026-6241, CVE-2026-6242, and CVE-2026-34123, affecting the widely deployed Tapo C520WS v2 outdoor security camera. All affected firmware versions prior to 1.2.6 Build 260528 are exposed, and users are strongly urged to update immediately.
The TP-Link Tapo C520WS v2 is a popular outdoor pan-tilt security camera used in both residential and commercial surveillance environments.
Discovered and disclosed as of June 6, 2026, this latest batch of vulnerabilities targets the camera’s ONVIF management interface, the industry-standard protocol used for IP camera interoperability and remote management.
A prior advisory in February 2026 had already disclosed heap-based buffer overflows and DoS flaws in the same device line, highlighting a persistent attack surface in TP-Link’s IoT firmware engineering.
The five new CVEs are split into two vulnerability classes: stack-based buffer overflows (CVE-2026-6239 and CVE-2026-6240) and format string vulnerabilities (CVE-2026-6241 and CVE-2026-6242), as well as an API authorization bypass (CVE-2026-34123).
CVE-2026-6239 – ONVIF CreateUsers Stack Overflow
A stack-based buffer overflow exists in the ONVIF CreateUsers service due to a failure to validate the number of user nodes in the XML during request parsing.
An authenticated attacker on the adjacent network can send a specially crafted ONVIF request with an excessive number of user entries, triggering memory corruption and crashing the ONVIF management service, resulting in a denial-of-service (DoS) condition that disrupts device configuration and remote management capabilities.
CVSS v4.0 Score: 6.8 (Medium)CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2026-6240 – ONVIF DeleteUsers Stack Overflow
The ONVIF DeleteUsers service contains a parallel stack-based buffer overflow due to insufficient boundary checks when processing multiple user-deletion identifiers.
A crafted request with an excessive number of identifiers can overflow the stack, causing a service crash or deadlock that prevents managing device users and monitoring camera feeds remotely.
CVSS v4.0 Score: 6.8 (Medium)CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2026-6241 – ONVIF AddScopes Format String Vulnerability
An authenticated format string vulnerability in the ONVIF AddScopes method allows user-controlled input to reach formatting functions without adequate sanitization.
An attacker can inject format specifiers such as %s, %n, or %x into ONVIF scope parameters, manipulating memory-handling behavior and causing the ONVIF management service to crash, resulting in a DoS that impairs normal device operation.
CVSS v4.0 Score: 6.8 (Medium)CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2026-6242 – ONVIF Subscribe Service Format String Flaw
The ONVIF Subscribe service is vulnerable to a format string attack due to improper handling of externally supplied parameters in notification generation paths.
Injecting crafted format strings into event subscription requests can terminate the event notification service unexpectedly, severing real-time alarm functionality and disrupting event notifications, with a significant impact in live surveillance contexts.
CVSS v4.0 Score: 6.8 (Medium)CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2026-34123 – Whitelist Bypass via API Method Mapping (High Severity)
The most critical of the five flaws, CVE-2026-34123, is rated CVSS 7.0 (High) and involves a logic flaw in the device’s API authorization mechanism.
Restricted accounts, such as hub user roles intended only for low-sensitivity operations, can exploit a “method mapping” behavior flaw to disguise restricted operations as permitted requests, bypassing whitelist validation entirely.
Successful exploitation can allow a restricted attacker to execute sensitive operations, including device resets, unauthorized configuration changes, or complete disruption of device availability and integrity.
CVSS v4.0 Score: 7.0 (High)CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
Affected Products and Fixed Versions
| Product | Affected Firmware | CVE IDs |
|---|---|---|
| Tapo C520WS v2 | < 1.2.6 Build 260528 | CVE-2026-6239, CVE-2026-6240, CVE-2026-6241, CVE-2026-6242, CVE-2026-34123 |
This is the third major vulnerability disclosure batch affecting the Tapo C520WS in 2026 alone, following January’s unauthenticated DoS CVEs (CVE-2026-0918, CVE-2026-0919, CVE-2026-1315) and February’s heap-based buffer overflow series (CVE-2026-34118 to CVE-2026-34122). The recurring vulnerability pattern indicates systemic weaknesses in input validation across TP-Link’s ONVIF and HTTP service implementations across the Tapo camera product line.
Mitigations
TP-Link strongly recommends the following immediate actions for all affected Tapo C520WS v2 users:
- Update firmware to version 1.2.6 Build 260528 or later via the Tapo mobile app, device web UI, or the TP-Link official support page
- Network segmentation: Place IoT cameras on a dedicated VLAN or guest network, isolated from corporate or sensitive infrastructure
- Restrict ONVIF access: Use firewall ACLs or access control policies to limit which hosts can reach the device’s ONVIF management interface
- Audit restricted accounts: Review hub user and restricted role assignments on all Tapo devices to identify potential CVE-2026-34123 exposure
- Monitor device logs: Watch for unexpected reboots, service crashes, or unauthorized configuration changes as early indicators of exploitation
Frequently Asked Questions (FAQs)
Q1: Who is affected by these TP-Link Tapo C520WS vulnerabilities? Any user running Tapo C520WS v2 firmware older than version 1.2.6 Build 260528 is at risk from all five CVEs.
Q2: Can these vulnerabilities be exploited remotely without authentication? No, all five CVEs require the attacker to be authenticated and on an adjacent network segment, reducing (but not eliminating) the attack surface.
Q3: What is the highest-severity CVE in this advisory?CVE-2026-34123 carries the highest CVSS v4.0 score of 7.0 (High) due to its ability to bypass the API whitelist for restricted accounts.
Q4: How do I update the firmware on my Tapo C520WS? Open the Tapo mobile app, go to your camera’s Device Settings → Device Info → Check for Updates, or download the firmware directly from TP-Link’s official support page.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
