CVE-2026-27509: CWE-306 Missing Authentication for Critical Function in UnitreeRobotics Unitree Go2
Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
AI Analysis
Technical Summary
CVE-2026-27509 describes a missing authentication vulnerability (CWE-306) in UnitreeRobotics Unitree Go2 firmware versions 1.1.7 through 1.1.9 and 1.1.11 (EDU). The vulnerability affects the DDS topic rt/api/programming_actuator/request handled by actuator_manager.py, which does not enforce DDS authentication or authorization. An attacker on the same network can join DDS domain 0 and send a crafted message (api_id=1002) containing arbitrary Python code. This code is saved under /unitree/etc/programming/ and bound to a physical controller keybinding, which executes the code with root privileges when triggered. The binding remains effective after reboot, allowing persistent root-level code execution.
Potential Impact
An unauthenticated, network-adjacent attacker can achieve persistent root code execution on affected Unitree Go2 robots by exploiting this vulnerability. This compromises the integrity and control of the device, potentially allowing full system takeover. The vulnerability does not require prior authentication or privileges, increasing its severity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict network access to the DDS domain 0 to trusted entities only and monitor for unauthorized DDS domain joins. Avoid exposing the robot's network interfaces to untrusted networks. Follow UnitreeRobotics advisories for updates on patches or official mitigations.
CVE-2026-27509: CWE-306 Missing Authentication for Critical Function in UnitreeRobotics Unitree Go2
Description
Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
CVSS v4.0
Score 8.5high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-27509 describes a missing authentication vulnerability (CWE-306) in UnitreeRobotics Unitree Go2 firmware versions 1.1.7 through 1.1.9 and 1.1.11 (EDU). The vulnerability affects the DDS topic rt/api/programming_actuator/request handled by actuator_manager.py, which does not enforce DDS authentication or authorization. An attacker on the same network can join DDS domain 0 and send a crafted message (api_id=1002) containing arbitrary Python code. This code is saved under /unitree/etc/programming/ and bound to a physical controller keybinding, which executes the code with root privileges when triggered. The binding remains effective after reboot, allowing persistent root-level code execution.
Potential Impact
An unauthenticated, network-adjacent attacker can achieve persistent root code execution on affected Unitree Go2 robots by exploiting this vulnerability. This compromises the integrity and control of the device, potentially allowing full system takeover. The vulnerability does not require prior authentication or privileges, increasing its severity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict network access to the DDS domain 0 to trusted entities only and monitor for unauthorized DDS domain joins. Avoid exposing the robot's network interfaces to untrusted networks. Follow UnitreeRobotics advisories for updates on patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-19T19:51:07.327Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a0a43885912abc71d61ab6
Added to database: 2/26/2026, 7:51:20 PM
Last enriched: 5/26/2026, 8:21:29 PM
Last updated: 5/29/2026, 11:39:13 AM
Views: 188
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.