CVE-2026-34126
Cleartext Bluetooth Communication in Tapo Devices
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: TPLink
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | tapo_l535e | 1.0 |
| tp-link | tapo_l535e | 3.0 |
| tp-link | tapo_p300 | 1.0 |
| tp-link | tapo_d100c | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves unencrypted Bluetooth communication during the initial setup phase of certain TP-Link Tapo devices, which could allow attackers within Bluetooth range to intercept or manipulate setup data and potentially gain unauthorized control of the device.
This exposure of sensitive setup data in cleartext could lead to unauthorized access or data interception, which may conflict with data protection principles found in regulations such as GDPR or HIPAA that require protection of personal and sensitive information.
However, the provided information does not explicitly discuss the impact of this vulnerability on compliance with specific standards or regulations.
Can you explain this vulnerability to me?
This vulnerability affects certain TP-Link Tapo devices (L535E v1.0 and v3.0, P300 v1.0, and D100C v1.0) where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption.
Because Bluetooth is only used during initialization, an attacker within Bluetooth range could exploit this by sniffing the Bluetooth communication or performing a man-in-the-middle attack.
This could allow the attacker to eavesdrop on the communication, manipulate the setup data being transmitted, and potentially gain unauthorized control of the device during its initialization.
How can this vulnerability impact me? :
If you are within Bluetooth range during the initial setup of the affected Tapo devices, an attacker could intercept and manipulate the Bluetooth communication.
This could lead to unauthorized control of your device during initialization, potentially compromising the device's security and functionality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Bluetooth communication during the initial setup phase being transmitted in cleartext without encryption.
Detection can be performed by monitoring Bluetooth traffic within range of the affected devices to identify unencrypted Bluetooth communication during device initialization.
Commands or tools that can be used include Bluetooth sniffing utilities such as 'hcidump' or 'bluetoothctl' on Linux systems to capture and analyze Bluetooth packets.
- Use 'hcidump' to capture Bluetooth traffic: sudo hcidump -i hci0
- Use 'bluetoothctl' to scan and monitor devices: bluetoothctl scan on
- Analyze captured packets for unencrypted data during device initialization.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid using Bluetooth for device initialization in environments where attackers could be within Bluetooth range.
Ensure that the affected devices are set up in secure, controlled environments to prevent unauthorized Bluetooth sniffing or man-in-the-middle attacks.
If possible, delay or avoid the initial setup phase in unsecured areas or use wired or alternative secure methods for device configuration.
Monitor for firmware updates from TP-Link that address this vulnerability and apply them promptly.