VYPR
High severity8.0NVD Advisory· Published Feb 26, 2026· Updated May 26, 2026

CVE-2026-27509

CVE-2026-27509

Description

Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Range: >=V1.1.7 <=V1.1.9, V1.1.11 (EDU)
  • UnitreeRobotics/Unitree Go2v5
    Range: 1.1.7

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.