Vulnerability Details CVE-2026-26342
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system) can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 53.9%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2026-26342
-
cpe:2.3:h:tattile:anpr_mobile:-
-
cpe:2.3:h:tattile:axle_counter:-
-
cpe:2.3:h:tattile:basic_mk2:-
-
cpe:2.3:h:tattile:smart+:-
-
cpe:2.3:h:tattile:smart+_speed:-
-
cpe:2.3:h:tattile:smart+_traffic_light:-
-
cpe:2.3:h:tattile:tolling+:-
-
cpe:2.3:h:tattile:vega11:-
-
cpe:2.3:h:tattile:vega33:-
-
cpe:2.3:h:tattile:vega53:-
-
cpe:2.3:o:tattile:anpr_mobile_firmware:*
-
cpe:2.3:o:tattile:axle_counter_firmware:*
-
cpe:2.3:o:tattile:basic_mk2_firmware:*
-
cpe:2.3:o:tattile:smart+_firmware:*
-
cpe:2.3:o:tattile:smart+_speed_firmware:*
-
cpe:2.3:o:tattile:smart+_traffic_light_firmware:*
-
cpe:2.3:o:tattile:tolling+_firmware:*
-
cpe:2.3:o:tattile:vega11_firmware:*
-
cpe:2.3:o:tattile:vega33_firmware:*
-
cpe:2.3:o:tattile:vega53_firmware:*