CVE-2026-26340
Published: 24 February 2026
Summary
CVE-2026-26340 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Tattile Smart\+ Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires organizations to explicitly identify, document, and authorize specific actions like RTSP stream access permitted without identification or authentication, preventing unauthorized disclosure.
Enforces approved authorizations for logical access to publicly accessible information, such as unauthenticated RTSP streams on surveillance devices.
Enforces approved authorizations for logical access to system resources, requiring authentication mechanisms for services like RTSP to block unauthenticated remote access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on publicly exposed RTSP service (CWE-306) directly enables remote unauthenticated access to device streams, mapping to T1190 Exploit Public-Facing Application.
NVD Description
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior expose RTSP streams without requiring authentication. A remote attacker can connect to the RTSP service and access live video/audio streams without valid credentials, resulting in unauthorized disclosure of…
more
surveillance data.
Deeper analysisAI
CVE-2026-26340 is a missing authentication vulnerability (CWE-306) in the firmware of Tattile Smart+, Vega, and Basic device families, affecting versions 1.181.5 and prior. These surveillance devices expose RTSP streams without requiring any authentication, enabling unauthorized access to live video and audio feeds. Published on 2026-02-24, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low complexity and no privileges required.
A remote, unauthenticated attacker can exploit this vulnerability by directly connecting to the device's RTSP service over the network. No user interaction or special privileges are needed, allowing the attacker to view and capture live surveillance streams, resulting in the unauthorized disclosure of sensitive video and audio data from monitored environments.
Advisories from VulnCheck (https://www.vulncheck.com/advisories/tattile-smart-vega-basic-unauthenticated-rtsp-stream-disclosure) and Zero Science Lab (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5978.php), along with the vendor site (https://www.tattile.com/), provide further details on the issue, though specific patch or mitigation guidance is not outlined in the CVE description.
Details
- CWE(s)