CVE-2026-26340: Unauth RTSP Stream in Tattile Smart+ Devices
Platform
other
Component
tattile-smart-vega-basic
Fixed in
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
CVE-2026-26340 affects Tattile Smart+, Vega, and Basic device families running firmware versions 0 through 1.181.5. This vulnerability allows a remote attacker to access live video and audio streams via the RTSP service without authentication, leading to unauthorized disclosure of surveillance data. The vulnerability was publicly disclosed on February 24, 2026, and a firmware update is expected to address the issue.
Impact and Attack Scenarios
The primary impact of CVE-2026-26340 is the unauthorized exposure of live video and audio streams captured by Tattile surveillance devices. An attacker exploiting this vulnerability could gain real-time access to sensitive areas monitored by these devices, potentially compromising privacy and security. This could include observing private residences, businesses, or critical infrastructure. The lack of authentication means that any attacker with network access to the device can exploit this vulnerability, significantly broadening the potential attack surface. The blast radius extends to anyone who relies on the surveillance data captured by these devices, as the integrity and confidentiality of that data are directly at risk.
Exploitation Context
CVE-2026-26340 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the simplicity of the vulnerability suggests that they are likely to emerge. The EPSS score is likely to be assessed as medium, given the ease of exploitation and the potential for significant data exposure. The vulnerability was disclosed publicly on February 24, 2026.
Threat Intelligence
Exploit Status
EPSS
0.53% (67% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-26340 is to upgrade the firmware on affected Tattile Smart+, Vega, and Basic devices to a version that includes the security fix. Tattile is expected to release a patched firmware version soon. Until a patch is available, consider segmenting the network to restrict access to the devices. Implement firewall rules to block external access to the RTSP port (typically 554) on the devices. Monitor network traffic for suspicious RTSP connections originating from unexpected sources. After upgrading the firmware, confirm the fix by attempting to connect to the RTSP stream without authentication; a successful connection indicates the vulnerability remains.
How to fix
Update the Tattile Smart+, Vega, or Basic device firmware to a version later than 1.181.5 to require authentication for accessing RTSP streams. This will prevent unauthorized access to video and audio streams.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-26340 — Unauth RTSP Stream in Tattile Smart+ Devices?
CVE-2026-26340 is a vulnerability affecting Tattile Smart+, Vega, and Basic devices where RTSP streams can be accessed without authentication, allowing unauthorized viewing of live video/audio.
Am I affected by CVE-2026-26340 in Tattile Smart+ Devices?
You are affected if you use a Tattile Smart+, Vega, or Basic device running firmware versions 0 through 1.181.5 and have not yet upgraded to a patched version.
How do I fix CVE-2026-26340 in Tattile Smart+ Devices?
Upgrade the firmware on your Tattile device to a version that includes the security fix. Until a patch is available, restrict network access and monitor for suspicious RTSP connections.
Is CVE-2026-26340 being actively exploited?
While no active exploitation has been confirmed, the simplicity of the vulnerability suggests that exploitation is likely to occur.
Where can I find the official Tattile advisory for CVE-2026-26340?
Refer to the Tattile website or contact Tattile support for the official advisory and firmware updates related to CVE-2026-26340.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.