TP-Link Tapo Devices Leak Setup Data Over Bluetooth: CVE-2026-34126, Update Firmware Now

TP-Link's popular Tapo line of home smart devices has a security flaw in which the communication exchanged during initial setup is not encrypted, allowing someone standing nearby to read it. Japan's vulnerability coordination body JPCERT/CC disclosed it on June 4, 2026 as JVN#70631953, with the common identifier CVE-2026-34126.

Three products are affected: the color-changing smart LED bulb "Tapo L535E," the remotely controllable smart power strip "Tapo P300," and the indoor chime "Tapo D100C" that ships with video doorbells. When you first take any of them out of the box and connect to the smartphone app, the Bluetooth communication used for setup flows in the clear. TP-Link has already released fixed firmware (the internal software that runs the device), and owners of the affected models are urged to update to the latest version.

This article walks through which products are affected, what actually happens, how demanding the real-world exploitation conditions are, and what to do with your own devices right now, in plain terms.

Which products are affected, and which firmware to update to

Three products are affected. All are Tapo-brand home smart devices also sold in Japan. The fixed firmware version differs by product and by sales region. The fixed versions for the Japanese market (region code JP) are listed below.

The one most easily overlooked is the third item, the Tapo D100C. Rather than a chime you buy on its own, it is the "indoor receiver that rings inside the house" bundled with video doorbells and smart locks. According to JVN, the D100C is also included with products such as the D130, D210, D235, D225, TD21, TDB21, and TD25. If you use one of these doorbell or smart-lock kits, you may have an affected device sitting in your home without realizing it.

Separate fixed versions also exist for overseas markets, such as the Tapo L535E v3.0 (region EU/US) and the EU version of the Tapo P300 (1.4.2 Build 251219 Rel.142654 or later). For products bought in Japan, the JP firmware in the table above is the reference. The update procedure is explained concretely in the later "What to do right now" section.

What happens: the setup communication was not encrypted

When you first connect a Tapo device to the "Tapo" smartphone app, it first talks to the nearby phone over Bluetooth and exchanges the information needed to join your home Wi-Fi. Once setup is complete the device runs over Wi-Fi from then on, so Bluetooth is basically used only during this first setup.

The problem this time is that this setup-time Bluetooth communication was not encrypted and flowed in cleartext (raw data anyone can read). If it were encrypted, the contents could not be read even if the radio signal were intercepted. But in cleartext, a third party within Bluetooth range only has to capture the signal with the right equipment to see the contents of what is being exchanged during setup.

CVE-2026-34126: setup-time Bluetooth communication flows in cleartext

This flaw has been assigned the identifier CVE-2026-34126. Technically it falls under "Cleartext Transmission of Sensitive Information (CWE-319)," a class of problem where information that should be hidden through encryption is sent without being hidden at all. JVN credits the report to eyegrep and izurina of L-Plus LLC.

According to JVN's description, the potential impact is not limited to mere eavesdropping. It states that a man-in-the-middle attack (intercepting and altering communication mid-stream) or Bluetooth sniffing could intercept and tamper with the communication, or take unauthorized control of the device during initial setup. The severity score out of 10 (CVSS v4.0) is 7.3, classified as "High," the second-highest of four levels.

Who wants this bug, and what do they walk off with

What is unsettling is that the stage for this vulnerability is not "a server in a faraway country" but the very few minutes when you take a new bulb or doorbell out of the box and set it up. No advanced remote technique is needed; all it takes is getting within Bluetooth range, nothing more.

Picture the people within a few meters of you. A neighbor in the next unit or the floor above, a housemate in a shared house, a stranger who came by for a viewing or repair shortly after you moved in, someone at the next desk in a coworking space. If such a person has a laptop open nearby while you are setting up a new Tapo device, then during setup the information used to join your home Wi-Fi, and the information that links your Tapo account to the device, flows into their hands unencrypted. Have those few minutes of signal captured, and the "in-home-only connection" you believe you are protecting is written out to the outside, right there on the spot.

More troubling is that JVN mentions not only "interception" but "tampering" and "unauthorized control of the device." This means there is room not just to peek, but to cut into the setup communication, inject false instructions, and bring the device under the attacker's control (a man-in-the-middle attack). When the device belongs to the doorbell or home-camera family, that goes straight to the question of whose hands the front-door video and the chime end up in. For a power strip, it can become an entry point for controlling appliances on and off from outside.

The "7.3" score is only a yardstick of technical severity. What a household user can really lose is control of the doorbell that watches the front door, and a foothold into the home Wi-Fi line that every device in the house hangs off of. Behind the reassurance of adding a new smart device, the reality this time is that those few minutes of setup were left open to someone else.

How demanding are the real-world exploitation conditions

There is no need to be overly frightened. Several conditions must line up for this vulnerability to be exploited. Let us be clear up front: this is not the kind of problem that can be targeted all at once from anywhere on the internet.

Reading the CVSS breakdown, exploitation requires the following. First, the attacker must be at very close range, within Bluetooth signal reach (the adjacent network). Second, the attack must be carried out at the very moment the device is being set up for the first time, because Bluetooth is used only during setup, so the cleartext information flows only then. It also requires user action (the act of setting up the product), plus timing and preparation to make the attack succeed.

What cannot be taken lightly, on the other hand, is that the attack requires no prior authentication such as a password or login. The attacker need not impersonate a legitimate user or hijack an account; they only have to be within signal range and catch the moment of setup. "The conditions are limited, but if they are met it gets through without an authentication wall" is why the severity rises to 7.3. Unlike an unauthenticated remote attack on factory software that lands in one shot over the internet, this is a physical attack surface that presupposes proximity.

For reference, as of June 5, 2026 this case is not listed in the KEV catalog that the U.S. agency CISA maintains of vulnerabilities "actually being used in attacks." No proof-of-concept (PoC) exploit code has been confirmed public either. There is no situation of "active widespread exploitation right now," but because the structure that reliably leaks information during the limited setup window remains, it is well worth closing off by updating to the fixed version.

Why setup-related problems keep recurring in Tapo

This is not the first time Tapo products have been flagged for "unprotected setup communication." Back in 2023, researchers reported that the authentication information exchanged between the smart bulb "Tapo L530E" and its app was handled in a near-cleartext form, creating a risk that a user's password could be stolen. The current CVE-2026-34126 shares the same root: the setup-phase communication is not encrypted.

Behind this lies a circumstance common to smart devices. Bulbs, outlets, and small chimes have their processing power and memory kept to the bare minimum to keep prices low. On top of that, securely exchanging keys and establishing encrypted communication while the device is still "fresh out of the box" and not yet on Wi-Fi is harder than it looks. The more you try to simplify the setup step, the easier it is for that first connection to be left thin, a structural weakness.

The more smart devices a home accumulates, the more these "first few minutes" add up to affect the safety of the whole house. Worse than a single bulb or doorbell being hijacked is handing over a clue to the shared home Wi-Fi line, which in the long run is the heavier problem. That is exactly why, when a maker acknowledges a vulnerability and ships fixed firmware, users properly receiving it through an update is a plain but effective defense.

What to do right now

For owners of an affected device, there is basically just one thing to do: update the firmware. The steps are as follows.

• Open the "Tapo" app on your phone and select the affected device (L535E / P300 / D100C, or a doorbell/smart-lock kit that includes the D100C)
• Check the firmware version on the device settings screen, and update if it is older than the number in the table above
• If the app offers an automatic update, follow it. For a manual update, check the latest firmware for your model on the TP-Link download page
• Keep the app itself up to date too, so you receive update notices and setup steps in their newest form

For devices you have already set up and are using, there is generally no need to redo the setup. The problem occurs only "during initial setup," and normal use after setup runs over Wi-Fi, which is outside the scope of this issue. Still, we recommend updating the firmware itself, so that you avoid setting up in cleartext again during a future factory reset, replacement, or re-setup after a move.

When you set up a new Tapo device from now on, simply doing it inside your home where few people are around, away from windows near neighboring units or hallways, can substantially lower the risk of the signal being captured nearby. With fixed firmware installed the setup communication is protected, but it is worth keeping in mind as a precautionary placement. TP-Link's official advisory (FAQ 5106) lists the affected models and fixed versions.

Worth viewing alongside the run of TP-Link product vulnerabilities

TP-Link holds a large share of home Wi-Fi routers and smart devices, yet vulnerability disclosures have continued over the past few months. On the router side, the Archer series was found to have a flaw allowing arbitrary commands to run (CVE-2026-5509), with calls to update to the latest firmware. Beyond individual product issues, combined with the U.S. move toward regulating foreign-made routers, it is a trend worth watching for Japanese households that use many TP-Link products.

Among domestic routers widely used in homes as well, there are growing occasions when nearby network gear needs updating, such as vulnerabilities disclosed across multiple NEC Aterm models. Including this Tapo case, the habit of "regularly keeping the firmware of the devices in your home up to date" is the defense that works best.

Frequently asked questions

Summary

CVE-2026-34126 is a flaw in which the setup-time Bluetooth communication of the Tapo smart bulb (L535E), smart power strip (P300), and indoor chime (D100C) flowed in cleartext without encryption. Exploitation requires the attacker to "be nearby" and "target the moment of setup," so it does not become an internet-wide mass attack. On the other hand, it is a structure that leaks information without authentication, and the severity is rated "High" at 7.3 out of 10.

TP-Link has already released fixed firmware for the three affected products. If you own an affected device, checking the firmware version in the Tapo app and updating to at least the number shown in the table closes off this issue. It does not suddenly endanger devices in everyday use, but it is safest to update now, ahead of devices you set up going forward and of re-setup at reset or replacement time.

References

• ▸ JVN#70631953 - Cleartext transmission of sensitive information in multiple TP-LINK products (June 4, 2026)
• ▸ NVD - CVE-2026-34126
• ▸ TP-Link official security advisory (FAQ 5106)
• ▸ CWE-319: Cleartext Transmission of Sensitive Information
• ▸ TP-Link Japan - Tapo product page
• ▸ Security Affairs - TP-Link Tapo L530E smart bulb flaws (2023, reference case)