An attacker sending malformed requests over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a cryptographic design vulnerability, which enables offline password bruteforce, which may leads to TAPO cloud account compromise. The vulnerability we are disclosing in this advisory affects a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory has not yet been released for this vulnerability. Vulnerability Details The following diagram summarizes the TAPO camera authentication procedure: First, the client queries the acn, then calculates the digest password the following way: H(cnonce + H(pw) + acn) + acn + cnonce The device_confirm value contains the hashed password to prove the identity of the device to the app (or other party), as follows: H(cnonce + H(pw) + acn) + acn + cnonce = device_confirm.

An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here. This report describes a stack buffer overflow, which leads to remote code execution. The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2026-34122. Vulnerability Details There is an unsafe strcpy in the handler function of the set_park_config DS action of the HTTP server in TAPO devices: ds_set_park_config() { iVar1 = get_some_global(); if (iVar1 != 0) { memcpy(&local_48,(void *)(iVar1 + 0x10),0x38); action_mode = jso_obj_get_string_origin(root,"enabled"); if ((action_mode !