CVE-2026-34126
Description
TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.
An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.
An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.
D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products:
D130, D210, D235, D225, TD21, TDB21 and TD25
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bluetooth setup communication in cleartext on Tapo L535E, P300, and D100C allows nearby attackers to eavesdrop and manipulate data, potentially gaining device control.
Vulnerability
TP-Link identified that Bluetooth communication during the initial setup phase on Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0 is transmitted in cleartext without encryption. Bluetooth is only used during initialization, making the device vulnerable only at that stage [3]. The affected products include the D100C chime, which ships with several Tapo camera models such as D130, D210, D235, D225, TD21, TDB21, and TD25 [3].
Exploitation
An attacker within Bluetooth range (typically up to 10–100 meters) can exploit this using Bluetooth sniffing or man-in-the-middle (MITM) techniques. The attack requires the user to be in the process of setting up the device, providing the attacker a window to eavesdrop on the pairing data and inject or alter transmitted setup packets [3]. No authentication or prior access is needed; only physical proximity and user interaction during setup are required.
Impact
Successful exploitation allows an attacker to eavesdrop on Bluetooth setup communication, manipulate transmitted setup data, and potentially gain unauthorized control of the device during initialization. This leads to high confidentiality and integrity impact, as the attacker can intercept sensitive configuration information or implant malicious settings. Availability impact is low, and no downstream effects on adjacent systems are expected [3].
Mitigation
TP-Link released fixed firmware versions for all affected products. Users should update to the following versions via the Tapo app or download portals: Tapo L535E v1.0 (JP region) – firmware 1.4.1 Build 251016 Rel.204554 [2]; Tapo L535E v3.0 (EU/US) – same firmware [3]; Tapo P300 v1.0 (EU) – 1.4.2 Build 251219 Rel.142654 [1][4]; Tapo P300 v1.0 (JP) – 1.4.0 Build 260416 Rel.014037 [1][4]; Tapo D100C v1.0 (EU/JP/US) – 1.3.1 Build 260421 Rel.031658 [3]. No workarounds are available; updating firmware is the sole mitigation. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4=1.0.0+ 1 more
- (no CPE)range: =1.0.0
- (no CPE)range: 1.0
- Range: 1.0, 3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6News mentions
0No linked articles in our index yet.