QSearchQSearch

CVE-2026-10557

9.8 CRITICAL

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices

Published: 2026-06-12 · Last updated: 2026-06-12

Severity and scoring

CVSS
9.8 CRITICAL
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-798

Description

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-50083 The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-... (9.1 CRITICAL)
  • CVE-2026-11849 The  iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remo... (9.8 CRITICAL)
  • CVE-2026-47281 Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network (9.6 CRITICAL)
  • CVE-2026-11414 A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service
  • CVE-2025-71317 NetMan 204 contains a hard-coded backdoor account with the username and password 'eurek' that grants administrative access (9.8 CRITICAL)