CVE-2026-26342

CRITICAL

Tattile Smart+/Vega/Basic <1.181.5 - Auth Bypass

Title source: llm

Description

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system) can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.

References (3)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5976.php

[Various Sources] https://www.tattile.com/

[Third Party Advisory] https://www.vulncheck.com/advisories/tattile-smart-vega-basic-insufficient-session-token-expiration

Scores

CVSS v3 9.8

EPSS 0.0035

EPSS Percentile 57.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-613

Status published

Products (10)

tattile/anpr_mobile_firmware < 1.181.5

tattile/axle_counter_firmware < 1.181.5

tattile/basic_mk2_firmware < 1.181.5

tattile/smart\+_firmware < 1.181.5

tattile/smart\+_speed_firmware < 1.181.5

tattile/smart\+_traffic_light_firmware < 1.181.5

tattile/tolling\+_firmware < 1.181.5

tattile/vega11_firmware < 1.181.5

tattile/vega33_firmware < 1.181.5

tattile/vega53_firmware < 1.181.5

Published Feb 24, 2026

Tracked Since Feb 25, 2026