CVE-2026-26342
Published: 24 February 2026
Summary
CVE-2026-26342 is a critical-severity Insufficient Session Expiration (CWE-613) vulnerability in Tattile Smart\+ Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates automatic termination of user sessions after defined conditions, comprehensively addressing insufficient token expiration that allows persistent access.
Requires management of authenticators including periodic refresh or change, preventing tokens from remaining valid indefinitely until manual revocation.
Enforces re-authentication for organization-defined conditions such as time periods, limiting the duration of token validity during sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated, network-based exploitation of the device's firmware management interface through indefinite authentication tokens obtained via interception or reuse, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system)…
more
can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.
Deeper analysisAI
CVE-2026-26342 affects the firmware of Tattile Smart+, Vega, and Basic device families in versions 1.181.5 and prior. The vulnerability stems from an authentication token (X-User-Token) implemented with insufficient expiration, allowing the token to remain valid indefinitely until explicitly revoked. This flaw, classified under CWE-613 (Insufficient Session Expiration), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact network-based exploitation without prerequisites.
An unauthenticated attacker can exploit this vulnerability by obtaining a valid token through methods such as interception, exposure in logs, or reuse on a shared system. With the token, the attacker gains persistent access to the device's management interface, enabling unauthorized control over device functions and exposure of sensitive data until the token is manually revoked by an administrator.
For mitigation details, security practitioners should refer to advisories from VulnCheck (https://www.vulncheck.com/advisories/tattile-smart-vega-basic-insufficient-session-token-expiration), Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5976.php), and the vendor Tattile (https://www.tattile.com/), published around the CVE disclosure on 2026-02-24.
Details
- CWE(s)