Skip to main content

Yarbo Android Ios Mobile Application

2 CVEs product

Monthly

CVE-2026-10557 CRITICAL PATCH CISA Act Now

Hard-coded MQTT broker credentials in Yarbo Android and iOS applications allow remote unauthenticated attackers to subscribe to and publish on the cloud MQTT brokers serving the entire global Yarbo robot fleet. Because the credentials are identical across all users and devices and trivially extractable via APK decompilation, anyone knowing a target robot's serial number can read its telemetry or send arbitrary commands. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CISA ICS advisory reflect the systemic, fleet-wide nature of the exposure.

Google Authentication Bypass Apple Yarbo Android Ios Mobile Application Yarbo Cloud Mqtt Infrastructure
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-7368 HIGH PATCH CISA Act Now

Authorization bypass in Yarbo's cloud MQTT infrastructure allows any authenticated client to subscribe to wildcard topics covering the entire global robot fleet and to publish commands to any robot using only its serial number, which is itself disclosed in the telemetry stream. The flaw affects both the Yarbo Android/iOS mobile application and the backing cloud MQTT broker, and no public exploit identified at time of analysis, but the design defect means a single compromised credential yields fleet-wide control.

Authentication Bypass Yarbo Android Ios Mobile Application Yarbo Cloud Mqtt Infrastructure
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Hard-coded MQTT broker credentials in Yarbo Android and iOS applications allow remote unauthenticated attackers to subscribe to and publish on the cloud MQTT brokers serving the entire global Yarbo robot fleet. Because the credentials are identical across all users and devices and trivially extractable via APK decompilation, anyone knowing a target robot's serial number can read its telemetry or send arbitrary commands. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CISA ICS advisory reflect the systemic, fleet-wide nature of the exposure.

Google Authentication Bypass Apple +2
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH Act Now

Authorization bypass in Yarbo's cloud MQTT infrastructure allows any authenticated client to subscribe to wildcard topics covering the entire global robot fleet and to publish commands to any robot using only its serial number, which is itself disclosed in the telemetry stream. The flaw affects both the Yarbo Android/iOS mobile application and the backing cloud MQTT broker, and no public exploit identified at time of analysis, but the design defect means a single compromised credential yields fleet-wide control.

Authentication Bypass Yarbo Android Ios Mobile Application Yarbo Cloud Mqtt Infrastructure
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy