CVE-2026-26342

Summary

Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system) can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data.

Affected Software

VendorProductVersion RangeStatus
Tattile s.r.l.Smart+0 <= 1.181.5affected
Tattile s.r.l.Tolling+0 <= 1.181.5affected
Tattile s.r.l.Smart+ Speed0 <= 1.181.5affected
Tattile s.r.l.Smart+ Traffic Light0 <= 1.181.5affected
Tattile s.r.l.Axle Counter0 <= 1.181.5affected
Tattile s.r.l.Vega530 <= 1.181.5affected
Tattile s.r.l.Vega330 <= 1.181.5affected
Tattile s.r.l.Vega110 <= 1.181.5affected
Tattile s.r.l.Basic MK20 <= 1.181.5affected
Tattile s.r.l.ANPR Mobile0 <= 1.181.5affected

Weaknesses

  • CWE-613: CWE-613 Insufficient Session Expiration

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References