CVE-2026-27509HIGH 8.0EPSS p37.7%

CVE-2026-27509CVE-2026-27509

Description

Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.48% probability of exploitation · percentile 37.7% · 2026-06-19T12:03:05Z
Published2026-02-26
Last modified2026-05-26

Underlying weaknesses· 1

CWE-306

References

  1. https://boschko.ca/unitree-go2-rce/
  2. https://shop.unitree.com/products/unitree-go2
  3. https://www.vulncheck.com/advisories/unitree-go2-missing-dds-authentication-enables-adjacent-rce

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-27510
CVE
CVE-2025-60017
CVE
CVE-2026-49199
CVE
CVE-2025-41709
CVE
CVE-2025-45466
CVE
CVE-2026-24790
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.