Cyber Posture

CVE-2026-26342

CriticalPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0041 61.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system)…

more

can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.

Mitigating Controls (NIST 800-53 r5)AI

AC-12 Session Termination good match
prevent

Directly mandates automatic termination of user sessions after defined conditions, comprehensively addressing insufficient token expiration that allows persistent access.

IA-5 Authenticator Management good match
prevent

Requires management of authenticators including periodic refresh or change, preventing tokens from remaining valid indefinitely until manual revocation.

IA-11 Re-authentication partial match
prevent

Enforces re-authentication for organization-defined conditions such as time periods, limiting the duration of token validity during sessions.

Security SummaryAI

CVE-2026-26342 affects the firmware of Tattile Smart+, Vega, and Basic device families in versions 1.181.5 and prior. The vulnerability stems from an authentication token (X-User-Token) implemented with insufficient expiration, allowing the token to remain valid indefinitely until explicitly revoked. This flaw, classified under CWE-613 (Insufficient Session Expiration), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact network-based exploitation without prerequisites.

An unauthenticated attacker can exploit this vulnerability by obtaining a valid token through methods such as interception, exposure in logs, or reuse on a shared system. With the token, the attacker gains persistent access to the device's management interface, enabling unauthorized control over device functions and exposure of sensitive data until the token is manually revoked by an administrator.

For mitigation details, security practitioners should refer to advisories from VulnCheck (https://www.vulncheck.com/advisories/tattile-smart-vega-basic-insufficient-session-token-expiration), Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5976.php), and the vendor Tattile (https://www.tattile.com/), published around the CVE disclosure on 2026-02-24.

Details

CWE(s)
CWE-613

Affected Products

tattile
smart\+ firmware
≤ 1.181.5
tattile
tolling\+ firmware
≤ 1.181.5
tattile
smart\+ speed firmware
≤ 1.181.5
tattile
smart\+ traffic light firmware
≤ 1.181.5
tattile
axle counter firmware
≤ 1.181.5
tattile
vega53 firmware
≤ 1.181.5
tattile
vega33 firmware
≤ 1.181.5
tattile
vega11 firmware
≤ 1.181.5
tattile
basic mk2 firmware
≤ 1.181.5
tattile
anpr mobile firmware
≤ 1.181.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated, network-based exploitation of the device's firmware management interface through indefinite authentication tokens obtained via interception or reuse, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References