CVE-2026-2065 identifies a missing authentication vulnerability in the Bluetooth Low Energy (BLE) interface of Flycatcher Toys smART Pixelator version 2.0. The vulnerability allows an attacker connected to the same local network as the device to perform unauthorized manipulations on an unspecified BLE functionality without requiring any authentication or user interaction. The attack vector is limited to local network access, which reduces the attack surface but still poses a risk in environments where the device is deployed in shared or insecure networks. The vulnerability has a CVSS 4.0 base score of 5.3 (medium severity), reflecting low attack complexity and no privileges or user interaction needed, but limited scope and impact. The vendor was notified early but has not issued any response or patch, and a public exploit is available, increasing the risk of exploitation. The exact impact on device functionality is unclear, but unauthorized BLE manipulation could lead to data leakage, device control, or denial of service. No known exploits in the wild have been reported yet. The absence of vendor mitigation necessitates defensive measures at the network and operational levels.

The vulnerability could allow attackers on the local network to bypass authentication controls on the smART Pixelator’s BLE interface, potentially leading to unauthorized access or control of the device. This could result in confidentiality breaches if sensitive data is accessible via BLE, integrity violations if device settings or operations are altered maliciously, or availability issues if the device is disrupted or disabled. Given the device is a toy with BLE connectivity, the direct impact on critical infrastructure may be limited, but in environments such as schools, daycare centers, or homes, exploitation could lead to privacy violations or safety concerns. The public availability of an exploit increases the likelihood of opportunistic attacks, especially in unsecured Wi-Fi or Bluetooth environments. Organizations using these devices without network segmentation or BLE access controls face increased risk. The lack of vendor response and patch availability prolongs exposure and complicates remediation efforts.

Since no official patch or vendor response is available, organizations should implement compensating controls to reduce risk. These include isolating the smART Pixelator devices on separate VLANs or network segments with strict access controls to limit local network exposure. Disable or restrict Bluetooth Low Energy connectivity where possible, or use BLE monitoring tools to detect unauthorized access attempts. Employ strong Wi-Fi security measures (WPA3 or at least WPA2 with strong passwords) to prevent unauthorized local network access. Regularly audit network devices and traffic for anomalous BLE activity. Educate users and administrators about the risk of local network attacks and the importance of physical security to prevent unauthorized proximity. Monitor threat intelligence sources for updates or vendor patches and apply them promptly once available. Consider replacing affected devices with alternatives that have better security postures if mitigation is not feasible.