High severity8.0NVD Advisory· Published Feb 26, 2026· Updated May 26, 2026
CVE-2026-27509
CVE-2026-27509
Description
Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: >=V1.1.7 <=V1.1.9, V1.1.11 (EDU)
- UnitreeRobotics/Unitree Go2v5Range: 1.1.7
Patches
Vulnerability mechanics
References
3- boschko.ca/unitree-go2-rce/nvdExploitThird Party Advisory
- www.vulncheck.com/advisories/unitree-go2-missing-dds-authentication-enables-adjacent-rcenvdThird Party Advisory
- shop.unitree.com/products/unitree-go2nvdProduct
News mentions
0No linked articles in our index yet.