CVE-2026-0919 – An unauthenticated attacker can send HTTP reque... (How to Fix)

Q: What is the severity of CVE-2026-0919?

CVE-2026-0919 has a CVSS score of 7.5 (HIGH). An unauthenticated attacker can send HTTP requests with excessively long URL paths to Tapo C220 v1 and C520WS v2 cameras, causing the HTTP parser to crash and restart the service. This leads to denial of service through repeated device reboots. Only users of these specific camera models are affected.

📋 TL;DR

An unauthenticated attacker can send HTTP requests with excessively long URL paths to Tapo C220 v1 and C520WS v2 cameras, causing the HTTP parser to crash and restart the service. This leads to denial of service through repeated device reboots. Only users of these specific camera models are affected.

💻 Affected Systems

Products:

Tapo C220
Tapo C520WS

Versions: C220 v1, C520WS v2

Operating Systems: Embedded camera firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Tapo C220 Firmware by Tp Link

View all CVEs affecting Tapo C220 Firmware →

Tapo C520ws Firmware by Tp Link

View all CVEs affecting Tapo C520ws Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service making cameras unavailable for surveillance, potentially during security incidents.

🟠

Likely Case

Intermittent camera outages causing gaps in video recording and monitoring.

🟢

If Mitigated

Minimal impact if cameras are behind firewalls or network segmentation.

🌐 Internet-Facing: HIGH - Unauthenticated attack can be launched remotely if cameras are exposed to internet.

🏢 Internal Only: MEDIUM - Attack requires network access but no authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request with long URL path triggers the vulnerability. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor links for latest firmware

Vendor Advisory: https://www.tp-link.com/us/support/faq/4923/

Restart Required: Yes

Instructions:

1. Visit TP-Link support page for your camera model. 2. Download latest firmware. 3. Log into camera web interface. 4. Navigate to Settings > System > Firmware Upgrade. 5. Upload and install new firmware. 6. Camera will reboot automatically.

🔧 Temporary Workarounds

Network Segmentation

all

Place cameras on isolated VLAN or network segment to limit attack surface

Firewall Rules

all

Block external HTTP access to cameras at network perimeter

🧯 If You Can't Patch

Isolate cameras from untrusted networks
Implement rate limiting on HTTP requests to cameras

🔍 How to Verify

Check if Vulnerable:

Send HTTP request with URL path exceeding normal length (e.g., 8192+ characters) to camera HTTP port

Check Version:

Check firmware version in camera web interface under Settings > System > Firmware

Verify Fix Applied:

After patching, same long URL request should not cause service crash

📡 Detection & Monitoring

Log Indicators:

Repeated service restarts
HTTP parser errors
Unusually long URL requests in access logs

Network Indicators:

Multiple HTTP requests with very long URLs to camera IPs
Increased reboot traffic from cameras

SIEM Query:

source="camera_logs" AND ("restart" OR "crash" OR "parser error") AND url_length>8000

📊 Metadata

CVE ID: CVE-2026-0919

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: January 27, 2026

Last Updated: March 11, 2026

🔗 References

https://www.tp-link.com/en/support/download/tapo-c220/v1/ Product
https://www.tp-link.com/en/support/download/tapo-c520ws/v2/ Product
https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ Product
https://www.tp-link.com/us/support/download/tapo-c520ws/v2/ Product
https://www.tp-link.com/us/support/faq/4923/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0919, you might also want to check these: