Skip to main content

Neorhythm CVE-2026-2756

| EUVDEUVD-2026-14254 LOW
Missing Authentication for Critical Function (CWE-306)
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 24, 2026 - 16:37 NVD
MEDIUM LOW
CVSS changed
Apr 24, 2026 - 16:37 NVD
5.0 (MEDIUM) 2.3 (LOW)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 21, 2026 - 17:45 euvd
EUVD-2026-14254
Analysis Generated
Mar 21, 2026 - 17:45 vuln.today
CVE Published
Mar 21, 2026 - 17:32 nvd
MEDIUM 5.0

DescriptionCVE.org

A security vulnerability has been detected in OmniPEMF NeoRhythm up to 20260308. This affects an unknown function of the component BLE Interface. Such manipulation leads to missing authentication. The attack can only be initiated within the local network. This attack is characterized by high complexity. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

OmniPEMF NeoRhythm contains a missing authentication vulnerability in its Bluetooth Low Energy (BLE) interface that allows unauthenticated local network attackers to achieve limited unauthorized access. The vulnerability affects all versions up to and including 20260308 and requires high attack complexity but results in confidentiality, integrity, and availability impacts. While the CVSS score is moderate at 5.0, the vendor has failed to respond to early disclosure notifications, leaving affected users without official patches or timeline guidance.

Technical ContextAI

The vulnerability exists in the BLE Interface component of OmniPEMF NeoRhythm, a Bluetooth-enabled medical device or wellness application. The root cause is classified under CWE-306 (Missing Authentication for Critical Function), indicating that the BLE interface fails to properly authenticate incoming commands or connections before processing sensitive operations. BLE operates on a short-range wireless protocol commonly used in wearables, medical devices, and personal health equipment. The affected product CPE (cpe:2.3:a:omnipemf:neorhythm:*:*:*:*:*:*:*:*) indicates all versions of the OmniPEMF NeoRhythm application are potentially vulnerable up to build date 20260308. The authentication bypass likely permits an attacker in radio proximity to interact with the device or its connected systems without proper credential validation.

RemediationAI

Users of OmniPEMF NeoRhythm should immediately check the vendor's website (omnipemf.com or equivalent) for patched versions beyond build 20260308, though the vendor's unresponsiveness suggests patches may not be available. If a patched version is released, upgrade to it without delay. Until vendor patches become available, mitigate risk by restricting BLE connectivity to trusted devices only, disabling BLE functionality when not in active use, keeping the NeoRhythm device and any connected applications updated to the latest available version, and isolating the device on a segmented network with minimal access to critical systems. Consider contacting OmniPEMF directly via alternative channels to escalate the vendor response issue. For organizations using NeoRhythm in medical or sensitive contexts, document this vulnerability in your risk register and evaluate whether alternative products with active vendor support should be considered.

Share

CVE-2026-2756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy