Unrated severityNVD Advisory· Published Feb 24, 2026· Updated Mar 5, 2026

Tattile Smart+ / Vega / Basic <= 1.181.5 Insufficient Session Token Expiration

CVE-2026-26342

Description

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system) can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.

Affected products

Calendarix/Basicllm-fuzzy
Range: <=1.181.5
Vega/Vegallm-fuzzy
Range: <=1.181.5
Tattile S.r.l./Smart+llm-fuzzy2 versions
<=1.181.5+ 1 more
- (no CPE)range: <=1.181.5
- (no CPE)range: 0
Tattile S.r.l./Vega53v5
Range: 0
Tattile S.r.l./Vega11v5
Range: 0
Tattile S.r.l./Smart+ Speedv5
Range: 0
Tattile s.r.l./Smart+ Traffic Lightv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5976.phpmitretechnical-descriptionexploit
www.vulncheck.com/advisories/tattile-smart-vega-basic-insufficient-session-token-expirationmitrethird-party-advisory
www.tattile.commitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000