CVE-2026-34126
Analyzed Analyzed - Analysis Complete
Cleartext Bluetooth Communication in Tapo Devices

Publication date: 2026-05-28

Last updated on: 2026-06-03

Assigner: TPLink

Description
TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.Β  An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products: D130, D210, D235, D225, TD21, TDB21 and TD25
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-03
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-34126
EUVD
EUVD-2026-32969
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
tp-link tapo_l535e_firmware 1.4.1
tp-link tapo_p300_firmware 1.4.0
tp-link tapo_p300_firmware 1.4.2
tp-link tapo_d100c_firmware 1.3.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability involves unencrypted Bluetooth communication during the initial setup phase of certain TP-Link Tapo devices, which could allow attackers within Bluetooth range to intercept or manipulate setup data and potentially gain unauthorized control of the device.

This exposure of sensitive setup data in cleartext could lead to unauthorized access or data interception, which may conflict with data protection principles found in regulations such as GDPR or HIPAA that require protection of personal and sensitive information.

However, the provided information does not explicitly discuss the impact of this vulnerability on compliance with specific standards or regulations.

Executive Summary

This vulnerability affects certain TP-Link Tapo devices (L535E v1.0 and v3.0, P300 v1.0, and D100C v1.0) where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption.

Because Bluetooth is only used during initialization, an attacker within Bluetooth range could exploit this by sniffing the Bluetooth communication or performing a man-in-the-middle attack.

This could allow the attacker to eavesdrop on the communication, manipulate the setup data being transmitted, and potentially gain unauthorized control of the device during its initialization.

Impact Analysis

If you are within Bluetooth range during the initial setup of the affected Tapo devices, an attacker could intercept and manipulate the Bluetooth communication.

This could lead to unauthorized control of your device during initialization, potentially compromising the device's security and functionality.

Detection Guidance

This vulnerability involves Bluetooth communication during the initial setup phase being transmitted in cleartext without encryption.

Detection can be performed by monitoring Bluetooth traffic within range of the affected devices to identify unencrypted Bluetooth communication during device initialization.

Commands or tools that can be used include Bluetooth sniffing utilities such as 'hcidump' or 'bluetoothctl' on Linux systems to capture and analyze Bluetooth packets.

  • Use 'hcidump' to capture Bluetooth traffic: sudo hcidump -i hci0
  • Use 'bluetoothctl' to scan and monitor devices: bluetoothctl scan on
  • Analyze captured packets for unencrypted data during device initialization.
Mitigation Strategies

To mitigate this vulnerability, avoid using Bluetooth for device initialization in environments where attackers could be within Bluetooth range.

Ensure that the affected devices are set up in secure, controlled environments to prevent unauthorized Bluetooth sniffing or man-in-the-middle attacks.

If possible, delay or avoid the initial setup phase in unsecured areas or use wired or alternative secure methods for device configuration.

Monitor for firmware updates from TP-Link that address this vulnerability and apply them promptly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34126. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart