CVE-2026-26342 HIGH

CVE-2026-26342: Tattile Smart+ / Vega / Basic <= 1.181.5 Insufficient Session Token Expiration

Vendor Tattile S.r.l.
Product Smart+
Weakness CWE-613 · Insufficient session expiration
Published February 24, 2026
Last update March 5, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system) can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.

Key dates

02Disclosure timeline

February 24, 2026 CVE published
March 5, 2026 Record updated