CVE-2026-2065
Published: 06 February 2026
Summary
CVE-2026-2065 is a medium-severity Improper Authentication (CWE-287) vulnerability in Flycatcher Smart Pixelator Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session content review can reveal authentication bypasses or failures in session establishment.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.
Identity providers centralize and enforce authentication mechanisms, reducing improper authentication.
Personnel screening, identity verification, and access-agreement requirements support reliable authentication and reduce authentication bypass opportunities.
Decoy authentication surfaces detect bypass attempts and deflect real credential attacks through observable malicious interactions.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Always invoking the reference monitor prevents missing authorization checks for protected resources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on BLE interface directly enables exploitation of the device's remote service for unauthorized access/control.
NVD Description
A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed…
more
from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-2065 is a security vulnerability in Flycatcher Toys smART Pixelator 2.0, specifically affecting an unknown functionality within its Bluetooth Low Energy Interface component. The flaw stems from missing authentication, mapped to CWEs-287 (Improper Authentication), CWE-306 (Missing Authentication for Critical Function), and CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 6.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-02-06.
Attackers on the local network can exploit this issue with low complexity, no required privileges, and no user interaction. Manipulation of the vulnerable component enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized access or control over affected device functions.
VulDB advisories (ctiid.344632, id.344632) and a GitHub repository (davidrxchester/smart-pixelator-upload) hosting a proof-of-concept exploit (poc.py) confirm the issue, noting that the vendor was contacted early but provided no response. No patches or official mitigations are available.
The exploit has been publicly released and may be used for attacks, increasing the risk for exposed devices on local networks.
Details
- CWE(s)