How is CVE-2026-34126 exploited?

Network reachability (info): The attacker must be physically within Bluetooth radio range (adjacent network, not reachable over the broader internet or LAN). Authentication (not-required): No credentials or account access of any kind are needed to attempt the exploit; Bluetooth sniffing and interception require no prior authentication. Victim interaction (required): A user must actively perform the initial device setup over Bluetooth, giving the attacker a window to intercept or manipulate the unencrypted exchange. Attack complexity (info): Standard Bluetooth sniffing tools are sufficient for passive eavesdropping, though man-in-the-middle manipulation introduces additional environmental timing factors that depend on the attacker being present at the exact moment of setup.

What is the impact of CVE-2026-34126?

Reads cleartext setup data transmitted over Bluetooth, which may include Wi-Fi credentials or device pairing secrets used to onboard the device. Modifies transmitted setup data in transit, potentially redirecting the device to a rogue network or injecting malicious configuration values. Gains unauthorized control of the affected device during the initialization window, allowing the attacker to enroll the device under their own account or infrastructure. Causes limited disruption to device availability during setup (low availability impact per CVSS VA:L), potentially preventing successful initialization.

Back to search

HIGHCVE-2026-34126Published 2026-05-28Modified 2026-05-28CNA TPLink

CVE-2026-34126: Bluetooth Communication Uses Unencrypted Transmission During Initial Setup on TP-Link's Tapo L535E, P300 and D100C

TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products: D130, D210, D235, D225, TD21, TDB21 and TD25

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a cleartext Bluetooth transmission vulnerability affecting TP-Link Tapo smart home devices, specifically the L535E (v1.0 and v3.0), P300 (v1.0), and D100C (v1.0). During the initial setup phase, Bluetooth communication is sent without any encryption, allowing an attacker within Bluetooth range to eavesdrop on or tamper with the setup exchange using standard sniffing or man-in-the-middle techniques. No authentication is required to exploit this; successful exploitation lets an attacker read setup credentials, manipulate configuration data, or seize unauthorized control of the device during initialization. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected firmware version.

HarborGuard Coverage

Detection

Detection of CVE-2026-34126 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, including custom-built images that incorporate affected TP-Link Tapo firmware packages. HarborGuard ingests from upstream advisory feeds continuously, so any image containing a vulnerable Tapo L535E, P300, or D100C component is flagged as soon as the record is ingested.

Available

Triage

HarborGuard is capable of surfacing this CVE with its CVSS v4.0 score of 7.3 (HIGH) and applying per-environment compliance policy weighting to determine priority relative to each customer's risk posture. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at the fix versions (1.3.1 Build 260421 Rel.031658 for D100C; 1.4.1 Build 251016 Rel.204554 for L535E; EU_1.4.2 Build 251219 Rel.142654 and JP_1.4.0 Build 260416 Rel.014037 for P300) becomes available on HarborGuard for any environment scanning an image with the affected firmware. For customers who opt into auto-remediation, HarborGuard performs a rebuilt image, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be physically within Bluetooth radio range (adjacent network, not reachable over the broader internet or LAN).
AuthenticationNot required
No credentials or account access of any kind are needed to attempt the exploit; Bluetooth sniffing and interception require no prior authentication.
Victim interactionRequired
A user must actively perform the initial device setup over Bluetooth, giving the attacker a window to intercept or manipulate the unencrypted exchange.
Attack complexityDetail
Standard Bluetooth sniffing tools are sufficient for passive eavesdropping, though man-in-the-middle manipulation introduces additional environmental timing factors that depend on the attacker being present at the exact moment of setup.

Blast Radius

Reads cleartext setup data transmitted over Bluetooth, which may include Wi-Fi credentials or device pairing secrets used to onboard the device.
Modifies transmitted setup data in transit, potentially redirecting the device to a rogue network or injecting malicious configuration values.
Gains unauthorized control of the affected device during the initialization window, allowing the attacker to enroll the device under their own account or infrastructure.
Causes limited disruption to device availability during setup (low availability impact per CVSS VA:L), potentially preventing successful initialization.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-34126 is active across all scanning pipelines, matching images containing affected TP-Link Tapo firmware against the advisory within minutes of publication. Where an image includes a vulnerable version of L535E, P300, or D100C firmware, a rebuild at the upstream fix version is made available. For customers who opt into auto-remediation, HarborGuard triggers a rebuilt image, executes a regression test run, and opens a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled or where compliance policy requires manual review, the finding is routed to the appropriate team inbox with full CVSS scoring context. As a compensating control until patched firmware is deployed, network-policy isolation of IoT device management interfaces and restricting physical access during device setup can reduce the window of exposure to this adjacent-network Bluetooth attack.

See how HarborGuard automates this

CVSS v4.0: 7.3
Severity: HIGH
Fixed in: 1.3.1 Build 260421 Rel.031658
Affected Products: 3

Fix available

1.3.1 Build 260421 Rel.0316581.4.1 Build 251016 Rel.204554EU_1.4.2 Build 251219 Rel.142654JP_1.4.0 Build 260416 Rel.014037

Patch commits

Affected packages

TP-Link Systems Inc. / Tapo L535E v1.0, v3.0
< 1.4.1 Build 251016 Rel.204554 (from 0)
TP-Link Systems Inc. / Tapo P300 v1.0
< EU_1.4.2 Build 251219 Rel.142654 (from 0) · < JP_1.4.0 Build 260416 Rel.014037 (from 0)
TP Link Systems Inc. / Tapo D100C v1.0
< 1.3.1 Build 260421 Rel.031658 (from 0)

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available