Skip to main content

Yarbo firmware CVE-2026-7415

| EUVD-2026-28400 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-05-07 AHA GHSA-5jxr-5v22-49gf
Authentication Bypass
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 17:30 vuln.today
CVE Published
May 07, 2026 - 16:11 nvd
CRITICAL 9.8

DescriptionNVD

The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind.

AnalysisAI

Anonymous MQTT access in Yarbo firmware v2.3.9 allows remote unauthenticated attackers on the local network to fully control the robotic lawn mower and exfiltrate sensitive telemetry data. The embedded MQTT broker accepts connections without credentials and enforces no topic-level access controls, enabling arbitrary publish/subscribe operations. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all Yarbo devices running firmware v2.3.9 and isolate them to a segregated network segment with no internet access. Within 7 days: Contact Yarbo support to determine available firmware updates or workarounds; temporarily disable MQTT functionality if the device interface permits. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-7415 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy