CVE-2026-26342CRITICAL 9.8EPSS p48.9%

CVE-2026-26342CVE-2026-26342

Description

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system) can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.72% probability of exploitation · percentile 48.9% · 2026-06-19T12:03:05Z
Published2026-02-24
Last modified2026-02-27

Underlying weaknesses· 1

CWE-613

References

  1. https://www.tattile.com/
  2. https://www.vulncheck.com/advisories/tattile-smart-vega-basic-insufficient-session-token-expiration
  3. https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5976.php

1

TypeTargetConfidenceTier
WeaknessInsufficient Session Expirationcwe-6130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-26341
CVE
CVE-2026-20998
CVE
CVE-2026-28536
CVE
CVE-2026-24789
CVE
CVE-2026-20997
CVE
CVE-2025-41652
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.