CVE-2026-0842 - Vulnerability Details

- Flycatcher Toys smART Sketcher Bluetooth Low Energy missing authentication

Description

A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-01-11

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises from missing authentication in an unknown part of Flycatcher Toys smART Sketcher’s Bluetooth Low Energy Interface. An attacker who can position themselves on the same local network can send unauthorized Bluetooth commands to the toy, potentially taking control or causing unintended behavior. The weakness maps to CWE‑287 and CWE‑306, indicating a failure to properly authenticate requests and enforce security controls. The impact is limited to devices that expose the BLE interface, but any connected user could be affected if the toy is used in an uncontrolled environment.

Affected Systems

Flycatcher Toys smART Sketcher devices with firmware versions up to and including 2.0 are affected. No additional product or version information is available in the current report.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the medium range, while the EPSS score of less than 1 % suggests a very low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must be within the local network to exploit the flaw, so exposure is limited to physically or logically proximate devices. Because the vendor has not issued a patch or response, the risk remains present until an official fix is released or mitigated through configuration changes.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Flycatcher Toys

smART Sketcher

affected

Version	Status	Constraints
`2.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest firmware update once the vendor releases a fix for the Bluetooth authentication issue.
Disable or remove the Bluetooth Low Energy interface on the toy when it is not actively in use.
Configure network access controls or firewall rules to allow BLE traffic only to authorized MAC addresses.
Isolate the toy’s network segment from critical infrastructure to limit lateral movement.
Monitor for unusual BLE traffic or command patterns that could indicate exploitation.

Generated by OpenCVE AI on April 18, 2026 at 07:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/davidrxchester/smart-sketcher-upload/blob/main/smartsketch-upload.py
https://vuldb.com/?ctiid.340442
https://vuldb.com/?id.340442
https://vuldb.com/?submit.729134

History

Mon, 12 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 11 Jan 2026 08:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Flycatcher Toys smART Sketcher Bluetooth Low Energy missing authentication
Weaknesses		CWE-287 CWE-306
References		https://github.com/davidrxchester/smart-sketcher-upload/blob/main/smartsketch-upload.py https://vuldb.com/?ctiid.340442 https://vuldb.com/?id.340442 https://vuldb.com/?submit.729134
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:A/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-11T08:02:06.221Z

Updated: 2026-02-23T08:30:28.781Z

Reserved: 2026-01-10T09:52:57.730Z

Link: CVE-2026-0842

Vulnrichment

Updated: 2026-01-12T17:32:05.622Z

NVD

Status : Deferred

Published: 2026-01-11T08:16:00.150

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0842

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object