cvedb.io
CVE-2026-27509
HIGH · CVSS 8
EPSS exploitation probability: 0%
Published 2026-02-26T20:31:38.447 · Last modified 2026-06-17T10:27:16.610

Summary

Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.

Affected products

unitree — go2_firmware

Does this affect you?

Add your gear to cvedb and we'll alert you only when unitree ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.