The vulnerability identified as CVE-2026-2671 affects the Mendi Neurofeedback Headset version 4, specifically within an unspecified functionality of its Bluetooth Low Energy (BLE) Handler component. This flaw results in the transmission of sensitive information in cleartext, meaning that data sent between the headset and paired devices can be intercepted and read by an attacker with access to the same local network. The attack vector is limited to local network access, and the complexity of successfully exploiting this vulnerability is rated as high, indicating that a skilled attacker with specific conditions met is required. No authentication or user interaction is necessary to exploit the flaw, but the attacker must be within the local network range. The vendor, Mendi, was contacted early regarding this vulnerability but has not issued any response or patch, leaving the device unprotected. The CVSS 4.0 base score is 2.3, reflecting a low severity due to limited attack scope and impact. The vulnerability does not affect confidentiality broadly beyond the local environment, nor does it impact integrity or availability. No known exploits have been reported in the wild, and no mitigation patches are currently available. This vulnerability highlights risks associated with BLE implementations that do not adequately encrypt sensitive data during transmission, potentially exposing user data to local eavesdropping or man-in-the-middle attacks.

The primary impact of this vulnerability is the potential exposure of sensitive information transmitted by the Mendi Neurofeedback Headset over Bluetooth Low Energy in cleartext. Organizations using these headsets in environments where local network access is shared or not tightly controlled could face risks of data interception. Although the attack complexity is high and exploitation requires local network access, the exposure of sensitive neurofeedback or biometric data could lead to privacy violations or unauthorized data collection. The lack of vendor response and absence of patches prolongs the window of vulnerability. However, the limited attack vector and low CVSS score indicate that the overall risk to large-scale operations or critical infrastructure is minimal. Still, healthcare providers, research institutions, or enterprises utilizing these devices for sensitive cognitive or biometric monitoring should consider the confidentiality risks. The vulnerability does not affect device integrity or availability, so operational disruption is unlikely. No known active exploitation reduces immediate threat levels but does not eliminate future risk.

Given the absence of vendor patches, organizations should implement compensating controls to mitigate this vulnerability. First, restrict physical and network access to the local environment where the Mendi Neurofeedback Headsets operate, ensuring only trusted devices and personnel can connect to the local network. Employ network segmentation and strong access controls to isolate BLE communication traffic from broader enterprise networks. Use Bluetooth security features such as pairing with authentication and encryption where possible, verifying that devices enforce secure connections. Monitor local network traffic for unusual BLE activity or unauthorized devices attempting to intercept communications. If feasible, limit the use of the affected headset version or replace it with devices that implement secure BLE communication with encryption. Educate users about the risks of using the headset in unsecured or public local networks. Finally, maintain vigilance for vendor updates or patches and apply them promptly once available.