Home

Description

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior expose RTSP streams without requiring authentication. A remote attacker can connect to the RTSP service and access live video/audio streams without valid credentials, resulting in unauthorized disclosure of surveillance data.

PUBLISHED Reserved 2026-02-13 | Published 2026-02-24 | Updated 2026-02-24 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Credits

Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5978.php technical-description exploit

www.tattile.com/ product

www.vulncheck.com/...-unauthenticated-rtsp-stream-disclosure third-party-advisory

cve.org (CVE-2026-26340)

nvd.nist.gov (CVE-2026-26340)

Download JSON