CVE-2026-27509

8.0 HIGH

Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclip...

Published: 2026-02-26 · Last updated: 2026-05-26

Severity and scoring

CVSS: 8.0 HIGH
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-306

Affected products

Vendor	Product
unitree	go2_edu_firmware, go2_firmware

Description

Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-27509
[Exploit reference]https://boschko.ca/unitree-go2-rce/
[Other]https://shop.unitree.com/products/unitree-go2
[Other]https://www.vulncheck.com/advisories/unitree-go2-missing-dds-authentication-enables-adjacent-rce

Related CVEs

Same CWE

CVE-2026-0647 — An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server
CVE-2018-25437 — WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download... (7.5 HIGH)
CVE-2026-12183 — Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerabili... (9.8 CRITICAL)
CVE-2026-53868 — Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses ... (7.5 HIGH)
CVE-2026-50287 — AgenticMail gives AI agents real email addresses and phone numbers