AI description
CVE-2026-27509 describes a vulnerability found in specific firmware versions of the Unitree Go2 robot. This flaw stems from the absence of DDS (Data Distribution Service) authentication or authorization for the `rt/api/programming_actuator/request` topic, which is managed by `actuator_manager.py`. As a result, a network-adjacent and unauthenticated attacker can connect to DDS domain 0. They can then publish a specially crafted message containing arbitrary Python code. This code is subsequently written to the robot's disk under `/unitree/etc/programming/` and linked to a physical controller keybinding. When this keybinding is activated, the injected code executes with root privileges and persists even after the robot reboots. The affected firmware versions include V1.1.7 through V1.1.9, and V1.1.11 (EDU).
- Description
- Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
- Source
- disclosure@vulncheck.com
- NVD status
- Modified
- Products
- go2_firmware, go2_edu_firmware
CVSS 4.0
- Type
- Secondary
- Base score
- 8.5
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Secondary
- Base score
- 8
- Impact score
- 5.9
- Exploitability score
- 2.1
- Vector string
- CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- disclosure@vulncheck.com
- CWE-306
- Hype score
- Not currently trending
Root RCE on Unitree GO2 robots via unauthenticated DDS and mobile DB tampering (CVE-2026-27509 / CVE-2026-27510). Work by @olivier_boschko and @ruikai https://t.co/jtw1aHtLq7 #infosec https://t.co/pC8UWRMwKp
@0xor0ne
14 May 2026
2883 Impressions
10 Retweets
55 Likes
20 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2026-25253 2 - CVE-2026-20127 3 - CVE-2025-59536 4 - CVE-2026-27509 5 - CVE-2026-27739 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
27 Feb 2026
246 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:unitree:go2_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2736E1DA-AA06-4AEE-8EEC-4731BF3A4AB6",
"versionEndIncluding": "1.1.9",
"versionStartIncluding": "1.1.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:unitree:go2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "372BB5C0-26D8-4E99-A63E-F4FB2D0A50C2",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:unitree:go2_edu_firmware:1.1.11:*:*:*:*:*:*:*",
"matchCriteriaId": "F5D56F44-88E0-4091-AC92-CEB384C5F86C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:unitree:go2_edu:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5D8501EA-2CCC-4615-92FD-A3C46A71FEAE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
]