HIGH 7.5

CVE-2026-34126: TP-Link Tapo Unencrypted Bluetooth Setup Vulnerability – L535E, P300, D100C

TP-Link's Tapo smart home devices—the L535E light strip, P300 smart plug, and D100C chime—send unencrypted Bluetooth data during initial setup. An attacker nearby could intercept this traffic, eavesdrop on setup credentials or configuration, or manipulate the transmitted data to take control of a device while it's being paired. The vulnerability only affects the initialization phase; once setup is complete, Bluetooth is not used. The practical threat depends on physical proximity and whether an attacker is present during a user's setup window, which typically occurs in the home or office.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-319
Affected products
8 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.  An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products: D130, D210, D235, D225, TD21, TDB21 and TD25

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-34126 stems from cleartext transmission of Bluetooth communication during device initialization in three TP-Link Tapo product lines. The vulnerability maps to CWE-319 (Cleartext Transmission of Sensitive Information) and carries a CVSS 3.1 score of 7.5 (HIGH) with vector AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The attack vector is adjacent (Bluetooth range), requires moderate complexity due to the need for active sniffing or MITM positioning, but demands no privileges or user interaction beyond normal device setup. An attacker could read configuration data, WiFi credentials, or device identifiers transmitted during pairing, and potentially inject malicious setup commands to compromise device functionality. Bluetooth is disabled after initialization, limiting the attack window.

Business impact

Organizations deploying Tapo smart devices for office automation, retail environments, or IoT monitoring should assess whether device setup occurs in controlled, low-threat environments or in areas accessible to potential attackers. The impact is chiefly on confidentiality and integrity of initial device configuration. Compromised devices could be misconfigured or instructed to operate maliciously, affecting automation workflows or surveillance systems. For most home and small office deployments, the risk may be acceptable if setup occurs in secure locations. Enterprise deployments or high-security environments should treat this more seriously. The fact that D100C is bundled with several camera models (D130, D210, D225, D235, TD21, TDB21, TD25) means exposure spans TP-Link's broader Tapo camera ecosystem.

Affected systems

Tapo L535E firmware versions v1.0 and v3.0; Tapo P300 firmware v1.0; Tapo D100C firmware v1.0. The D100C chime is sold as an accessory with Tapo camera models D130, D210, D225, D235, TD21, TDB21, and TD25. Check your device firmware version in the Tapo mobile app settings to confirm whether your unit is affected. Verify the exact version and availability of patches against TP-Link's official advisory.

Exploitability

Exploitation requires an attacker to be physically present within Bluetooth range (typically 10–100 meters depending on signal strength and obstacles) during the narrow setup window when a user is pairing the device. The attacker must actively sniff Bluetooth traffic or position themselves to intercept and manipulate communications. While technically straightforward with commodity Bluetooth analysis tools, the requirement for precise timing and physical proximity limits opportunistic attacks. The vulnerability is not remotely exploitable. Widespread automated exploitation is unlikely, but targeted attacks against high-value environments or deliberate supply-chain interception scenarios are plausible. CVE-2026-34126 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.

Remediation

TP-Link should release firmware updates for all affected products that implement encryption (e.g., TLS or Bluetooth LE security features) for Bluetooth communication during setup. Users should apply firmware updates as they become available. Interim mitigations include performing device setup in physically secure locations away from untrusted individuals, minimizing the number of devices set up in high-risk environments, and using network segmentation to isolate newly initialized Tapo devices from sensitive systems. For enterprise deployments, consider restricting Tapo device placement to managed, monitored facilities.

Patch guidance

Monitor TP-Link's security advisory pages and the Tapo mobile app for firmware updates addressing CVE-2026-34126. When patches are released, they will likely be distributed as over-the-air (OTA) updates within the Tapo app. To check your current firmware: open the Tapo app, navigate to the affected device's settings, and view the firmware version. Verify against TP-Link's official advisory to confirm whether your version is vulnerable and whether a patch is available. Apply updates promptly in a controlled manner to avoid disruption to automation workflows. Test patched devices in a staging environment before rolling out to production, if applicable.

Detection guidance

On-site detection of active exploitation during setup is difficult without dedicated Bluetooth monitoring. Organizations should log and review device setup activities within their network—specifically, which devices were added, when, and by whom. Monitor for unexpected or out-of-band device state changes (e.g., a device suddenly changing WiFi network, misbehaving, or losing responsiveness) that might indicate tampering during initialization. Use Bluetooth scanning tools (e.g., BLE scanners) to identify Tapo devices in proximity and check for unusual pairing activity. For network-level detection, monitor for unusual outbound connections from newly initialized Tapo devices to unexpected addresses. Endpoint detection and response (EDR) solutions may flag suspicious Bluetooth activity if deployed on gateway or hub devices.

Why prioritize this

This vulnerability warrants medium-to-high priority for organizations deploying Tapo devices in controlled environments (offices, homes with family members), and high priority for high-security or high-value facilities. The CVSS score of 7.5 reflects the potential for confidentiality, integrity, and availability impact, but the attack surface is bounded by Bluetooth range and the setup window. Prioritize patching in environments where device setup is frequent, where untrusted individuals have access, or where device compromise could cascade to other systems. For typical home and small business users with infrequent setup, the risk is lower but still important to address through patching as updates become available.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) is driven by the lack of encryption during Bluetooth initialization, which exposes sensitive configuration data to eavesdropping and manipulation. The score reflects high impact on confidentiality (C:H—plaintext data exposure), integrity (I:H—attacker can modify setup commands), and availability (A:H—attacker could brick or misconfigure the device). The adjacent network attack vector (AV:A) and high complexity (AC:H—requires active sniffing, timing, and positioning) prevent the score from reaching 'Critical', but the lack of authentication (PR:N) and the inability to completely mitigate through user behavior (UI:N) result in a substantial risk level. This is appropriate for a design flaw affecting multiple product lines.

Frequently asked questions

Can an attacker exploit this vulnerability after my device is already set up?

No. Bluetooth is only used during the initial setup phase. Once the device is configured and connected to WiFi, Bluetooth is disabled, and this vulnerability cannot be exploited. The attack window is limited to the pairing process.

Do I need to replace my device, or can a firmware update fix it?

Firmware updates should resolve this vulnerability by adding encryption to Bluetooth setup communications. Replacement is not necessary if patches are available. Wait for and apply TP-Link's official firmware updates; check the Tapo app or TP-Link's support site for release information.

What should I do right now if I own a Tapo L535E, P300, or D100C?

First, verify your device firmware version in the Tapo app. Check TP-Link's security advisory to confirm whether your version is vulnerable. If vulnerable and you have not yet applied a patch, perform setup in a physically secure location away from untrusted individuals, and watch for TP-Link firmware updates. Apply patches as soon as they are released. For devices already deployed, monitor them for unexpected behavior.

Is this vulnerability being actively exploited in the wild?

As of publication, CVE-2026-34126 is not listed in CISA's Known Exploited Vulnerabilities catalog, indicating no widespread active exploitation has been reported. However, the relatively low barrier to exploitation for an attacker with physical proximity means targeted attacks are plausible, particularly in high-value or supply-chain compromise scenarios.

This analysis is based on publicly available information and TP-Link's vulnerability disclosure as of the publication date. CVSS scores and vulnerability details are provided as-is; verify patch versions, release dates, and remediation steps directly against TP-Link's official security advisory and vendor documentation. Security analysts should validate affected firmware versions within their own environment before deploying updates. This explainer does not constitute professional security advice; organizations should conduct their own risk assessment relative to their threat model, deployment context, and regulatory obligations. No exploit code or weaponized proof-of-concept details are provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).