Platform
other
Component
tattile-smart-vega-basic
Fixed in
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
1.181.6
CVE-2026-26340 affects Tattile Smart+, Vega, and Basic device families running firmware versions 0 through 1.181.5. This vulnerability allows a remote attacker to access live video and audio streams via the RTSP service without authentication, leading to unauthorized disclosure of surveillance data. The vulnerability was publicly disclosed on February 24, 2026, and a firmware update is expected to address the issue.
The primary impact of CVE-2026-26340 is the unauthorized exposure of live video and audio streams captured by Tattile surveillance devices. An attacker exploiting this vulnerability could gain real-time access to sensitive areas monitored by these devices, potentially compromising privacy and security. This could include observing private residences, businesses, or critical infrastructure. The lack of authentication means that any attacker with network access to the device can exploit this vulnerability, significantly broadening the potential attack surface. The blast radius extends to anyone who relies on the surveillance data captured by these devices, as the integrity and confidentiality of that data are directly at risk.
CVE-2026-26340 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the simplicity of the vulnerability suggests that they are likely to emerge. The EPSS score is likely to be assessed as medium, given the ease of exploitation and the potential for significant data exposure. The vulnerability was disclosed publicly on February 24, 2026.
Exploit Status
EPSS
0.53% (67% percentile)
CISA SSVC
The primary mitigation for CVE-2026-26340 is to upgrade the firmware on affected Tattile Smart+, Vega, and Basic devices to a version that includes the security fix. Tattile is expected to release a patched firmware version soon. Until a patch is available, consider segmenting the network to restrict access to the devices. Implement firewall rules to block external access to the RTSP port (typically 554) on the devices. Monitor network traffic for suspicious RTSP connections originating from unexpected sources. After upgrading the firmware, confirm the fix by attempting to connect to the RTSP stream without authentication; a successful connection indicates the vulnerability remains.
Update the Tattile Smart+, Vega, or Basic device firmware to a version later than 1.181.5 to require authentication for accessing RTSP streams. This will prevent unauthorized access to video and audio streams.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26340 is a vulnerability affecting Tattile Smart+, Vega, and Basic devices where RTSP streams can be accessed without authentication, allowing unauthorized viewing of live video/audio.
You are affected if you use a Tattile Smart+, Vega, or Basic device running firmware versions 0 through 1.181.5 and have not yet upgraded to a patched version.
Upgrade the firmware on your Tattile device to a version that includes the security fix. Until a patch is available, restrict network access and monitor for suspicious RTSP connections.
While no active exploitation has been confirmed, the simplicity of the vulnerability suggests that exploitation is likely to occur.
Refer to the Tattile website or contact Tattile support for the official advisory and firmware updates related to CVE-2026-26340.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.