Click to skip the navigation bar
Search Online store
Search Online store Menu

Security Advisory: Bluetooth Communication Uses Unencrypted Transmission During Initial Setup on Tapo L535E, P300 and D100C (CVE-2026-34126)

Security Advisory
Last updated: May 28, 2026

Vulnerability and Impact Description:

CVE-2026-34126

TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization.

An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization.

CVSS v4.0 Score: 7.3 / High

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Affected Products/Versions and Fixes:

Product Model

Hardware Version

Region

Fixed Firmware Version

Tapo L535E

v3.0

EU / US

1.4.1 Build 251016 Rel.204554

Tapo L535E

v1.0

JP

1.4.1 Build 251016 Rel.204554

Tapo P300

v1.0

EU

1.4.2 Build 251219 Rel.142654

Tapo P300

v1.0

JP

1.4.0 Build 260416 Rel.014037

Tapo D100C

v1.0

EU / JP / US

1.3.1 Build 260421 Rel.031658

Note: D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products:

D130, D210, D235, D225, TD21, TDB21 and TD25

Recommendations:

We strongly recommend that users with affected devices take the following actions:

  1. Update the affected devices to the latest firmware version that fixed the vulnerability:

US: Download for Tapo L535E | TP-Link

EN: Download for Tapo L535E | TP-Link

Download for Tapo P300 | TP-Link

JP: Tapo P300 Content | TP-Link Japan

Tapo L535E Contents | TP-Link Japan

  1. Open your Tapo app, select your chime in the device list, go to settings (gear icon), and tap “Firmware Update” to update the firmware of D100C.

Disclaimer:

This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers promptly apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable, and TP-Link disclaims any responsibility or liability for any damages or losses arising from a failure to implement such updates.

Related FAQs

Looking For More

Is this faq useful?

Your feedback helps improve this site.

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .

Your Privacy Choices

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .

These cookies are necessary for the website to function and cannot be deactivated in your systems.

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.