Cyber Resilience

CVE-2026-26340

HighPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0081 52.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26340 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Tattile Smart\+ Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-26340 is a missing authentication vulnerability (CWE-306) in the firmware of Tattile Smart+, Vega, and Basic device families, affecting versions 1.181.5 and prior. These surveillance devices expose RTSP streams without requiring any authentication, enabling unauthorized access to live video and audio feeds. Published on 2026-02-24, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low complexity and no privileges required.

A remote, unauthenticated attacker can exploit this vulnerability by directly connecting to the device's RTSP service over the network. No user interaction or special privileges are needed, allowing the attacker to view and capture live surveillance streams, resulting in the unauthorized disclosure of sensitive video and audio data from monitored environments.

Advisories from VulnCheck (https://www.vulncheck.com/advisories/tattile-smart-vega-basic-unauthenticated-rtsp-stream-disclosure) and Zero Science Lab (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5978.php), along with the vendor site (https://www.tattile.com/), provide further details on the issue, though specific patch or mitigation guidance is not outlined in the CVE description.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior expose RTSP streams without requiring authentication. A remote attacker can connect to the RTSP service and access live video/audio streams without valid credentials, resulting in unauthorized disclosure of…

more

surveillance data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on publicly exposed RTSP service (CWE-306) directly enables remote unauthenticated access to device streams, mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26342Same product: Tattile Anpr Mobile
CVE-2026-26341Same product: Tattile Anpr Mobile
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306
CVE-2022-50981Shared CWE-306

Affected Assets

tattile
smart\+ firmware
≤ 1.181.5
tattile
tolling\+ firmware
≤ 1.181.5
tattile
smart\+ speed firmware
≤ 1.181.5
tattile
smart\+ traffic light firmware
≤ 1.181.5
tattile
axle counter firmware
≤ 1.181.5
tattile
vega53 firmware
≤ 1.181.5
tattile
vega33 firmware
≤ 1.181.5
tattile
vega11 firmware
≤ 1.181.5
tattile
basic mk2 firmware
≤ 1.181.5
tattile
anpr mobile firmware
≤ 1.181.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires organizations to explicitly identify, document, and authorize specific actions like RTSP stream access permitted without identification or authentication, preventing unauthorized disclosure.

prevent

Enforces approved authorizations for logical access to publicly accessible information, such as unauthenticated RTSP streams on surveillance devices.

prevent

Enforces approved authorizations for logical access to system resources, requiring authentication mechanisms for services like RTSP to block unauthenticated remote access.

References