Login Sign Up

CVE-2026-2065

6.3 MEDIUM
Authentication Bypass

📋 TL;DR

CVE-2026-2065 is an authentication bypass vulnerability in Flycatcher Toys smART Pixelator 2.0's Bluetooth Low Energy interface. Attackers on the local network can exploit this to gain unauthorized access to device functionality. All users of smART Pixelator 2.0 with Bluetooth enabled are affected.

💻 Affected Systems

Products:
  • Flycatcher Toys smART Pixelator
Versions: 2.0
Operating Systems: Embedded/Device-specific
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Bluetooth Low Energy interface to be enabled and accessible from local network.

📦 What is this software?

Smart Pixelator Firmware by Flycatcher

View all CVEs affecting Smart Pixelator Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the smART Pixelator device allowing unauthorized control, data exfiltration, or device manipulation.

🟠

Likely Case

Unauthorized access to device functions, potential data leakage, and disruption of normal operations.

🟢

If Mitigated

Limited impact if Bluetooth interface is disabled or network segmentation prevents local access.

🌐 Internet-Facing: LOW (attack requires local network access)
🏢 Internal Only: HIGH (exploitable from local network with public PoC available)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept exploit code is publicly available on GitHub, making exploitation straightforward for attackers with local network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Vendor was contacted but did not respond. Consider workarounds or replacement.

🔧 Temporary Workarounds

Disable Bluetooth Interface

all

Turn off Bluetooth Low Energy functionality to prevent exploitation

Device-specific - check manufacturer documentation for disabling Bluetooth

Network Segmentation

all

Isolate smART Pixelator devices on separate VLAN or network segment

🧯 If You Can't Patch

  • Physically disconnect from network when not in use
  • Implement strict network access controls to limit which devices can communicate with the Pixelator

🔍 How to Verify

Check if Vulnerable:

Check device version in settings/configuration. If running smART Pixelator 2.0 with Bluetooth enabled, assume vulnerable.

Check Version:

Device-specific - typically through device interface or manufacturer app

Verify Fix Applied:

No official fix available. Verify workarounds by testing Bluetooth connectivity and network access.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Bluetooth connection attempts
  • Unauthorized access patterns to device functions

Network Indicators:

  • Unexpected BLE traffic to Pixelator devices
  • Connection attempts from unauthorized MAC addresses

SIEM Query:

source_ip IN (local_network) AND dest_ip = (pixelator_ip) AND protocol = BLE AND auth_failure = true

📊 Metadata

CVE ID: CVE-2026-2065
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-287
EPSS Score: 0.03% exploit probability (7.2th percentile)
Published: February 6, 2026
Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2065, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)