CVE-2026-26340 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting Tattile s.r.l.'s Smart+, Vega, and Basic device families running firmware versions 1.181.5 and prior. The issue arises because the RTSP (Real Time Streaming Protocol) service on these devices does not enforce authentication, allowing any remote attacker to connect directly to the RTSP stream endpoint. This unauthorized access exposes live video and audio feeds captured by the surveillance devices, compromising confidentiality of sensitive surveillance data. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, making it highly accessible to attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low complexity, no authentication or user interaction required, and high confidentiality impact with no impact on integrity or availability. No patches or vendor advisories are currently available, and no active exploitation has been reported. The affected devices are commonly deployed in traffic monitoring, industrial, and security surveillance applications, increasing the potential sensitivity of the exposed data. This vulnerability highlights a critical design flaw in the device firmware where critical streaming functions are exposed without access controls.

The primary impact of CVE-2026-26340 is the unauthorized disclosure of live surveillance video and audio streams, which can severely compromise privacy and operational security. Organizations relying on Tattile Smart+, Vega, and Basic devices for traffic monitoring, industrial automation, or security surveillance may have sensitive visual and audio data exposed to unauthorized parties. This can lead to intelligence gathering by malicious actors, industrial espionage, or privacy violations affecting individuals captured by the cameras. The lack of authentication means attackers can easily access streams without needing credentials or exploiting complex vulnerabilities, increasing the risk of widespread unauthorized access. Although the vulnerability does not affect data integrity or device availability, the confidentiality breach alone can have significant legal, regulatory, and reputational consequences for affected organizations. The absence of patches means the risk persists until mitigations are applied. Given the use of these devices in critical infrastructure and public safety contexts, the impact can extend to national security concerns in some regions.

Until official patches or firmware updates are released by Tattile s.r.l., organizations should implement network-level mitigations to reduce exposure. These include restricting RTSP service access via firewall rules to trusted IP addresses only, ideally isolating affected devices on segmented networks with strict access controls. Deploy network intrusion detection systems (NIDS) to monitor for unusual RTSP connection attempts. Disable RTSP streaming if not required or replace devices with alternatives that enforce authentication. If RTSP streams must be used, consider deploying VPNs or secure tunnels to restrict access to authorized users. Regularly audit device firmware versions and monitor vendor communications for updates. Additionally, organizations should review physical security and privacy policies to mitigate risks from potential data leaks. Once vendor patches become available, prioritize immediate firmware upgrades to enforce authentication on RTSP streams.