CVE-2026-2065
Published: 06 February 2026
Summary
CVE-2026-2065 is a medium-severity Improper Authentication (CWE-287) vulnerability in Flycatcher Smart Pixelator Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).
Deeper analysis
CVE-2026-2065 is a security vulnerability in Flycatcher Toys smART Pixelator 2.0, specifically affecting an unknown functionality within its Bluetooth Low Energy Interface component. The flaw stems from missing authentication, mapped to CWEs-287 (Improper Authentication), CWE-306 (Missing Authentication for Critical Function), and CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 6.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-02-06.
Attackers on the local network can exploit this issue with low complexity, no required privileges, and no user interaction. Manipulation of the vulnerable component enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized access or control over affected device functions.
VulDB advisories (ctiid.344632, id.344632) and a GitHub repository (davidrxchester/smart-pixelator-upload) hosting a proof-of-concept exploit (poc.py) confirm the issue, noting that the vendor was contacted early but provided no response. No patches or official mitigations are available.
The exploit has been publicly released and may be used for attacks, increasing the risk for exposed devices on local networks.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5594
Vulnerability details
A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed…
more
from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on BLE interface directly enables exploitation of the device's remote service for unauthorized access/control.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication before allowing any manipulation of the BLE interface functions, blocking the missing-authentication flaw exploited by CVE-2026-2065.
Requires cryptographic or mutual device identification and authentication for all Bluetooth Low Energy connections, directly closing the unauthenticated access vector in the smART Pixelator.
Mandates authentication and encryption for wireless (BLE) network access, limiting the local-network attack surface described in the CVE.