CVE-2026-27510: CWE-345 Insufficient Verification of Data Authenticity in UnitreeRobotics Unitree Go2
Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android application stores programs in a local SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py executes the supplied Python as root without integrity verification or content validation. An attacker with local access to the Android device can tamper with the stored programme record to inject arbitrary Python that executes when the user triggers the program via a controller keybinding, and the malicious binding persists across reboots. Additionally, a malicious program shared through the application's community marketplace can result in arbitrary code execution on any robot that imports and runs it.
AI Analysis
Technical Summary
CVE-2026-27510 affects Unitree Go2 robots running firmware versions 1.1.7 through 1.1.11 in conjunction with the Unitree Go2 Android application. The vulnerability arises from insufficient verification of data authenticity (CWE-345) in user-created programs stored in a local SQLite database on the Android device. The robot executes Python code from these programs as root without integrity checks or content validation. This allows an attacker with local access to the Android device to tamper with stored programs to execute arbitrary code on the robot. Additionally, malicious programs distributed through the app's community marketplace can compromise any robot that imports and runs them. No official patch or remediation information is currently provided.
Potential Impact
Successful exploitation allows an attacker with local access to the Android device to execute arbitrary Python code with root privileges on the Unitree Go2 robot. This can lead to full control over the robot's functions and persistent compromise across reboots. The vulnerability also enables remote code execution via malicious programs shared through the community marketplace, potentially affecting multiple robots that import such programs.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should restrict local access to the Android device running the Unitree Go2 app and avoid importing programs from untrusted sources in the community marketplace. Monitoring for updates from UnitreeRobotics is recommended to apply any forthcoming patches or official mitigations.
CVE-2026-27510: CWE-345 Insufficient Verification of Data Authenticity in UnitreeRobotics Unitree Go2
Description
Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android application stores programs in a local SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py executes the supplied Python as root without integrity verification or content validation. An attacker with local access to the Android device can tamper with the stored programme record to inject arbitrary Python that executes when the user triggers the program via a controller keybinding, and the malicious binding persists across reboots. Additionally, a malicious program shared through the application's community marketplace can result in arbitrary code execution on any robot that imports and runs it.
CVSS v4.0
Score 6.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-27510 affects Unitree Go2 robots running firmware versions 1.1.7 through 1.1.11 in conjunction with the Unitree Go2 Android application. The vulnerability arises from insufficient verification of data authenticity (CWE-345) in user-created programs stored in a local SQLite database on the Android device. The robot executes Python code from these programs as root without integrity checks or content validation. This allows an attacker with local access to the Android device to tamper with stored programs to execute arbitrary code on the robot. Additionally, malicious programs distributed through the app's community marketplace can compromise any robot that imports and runs them. No official patch or remediation information is currently provided.
Potential Impact
Successful exploitation allows an attacker with local access to the Android device to execute arbitrary Python code with root privileges on the Unitree Go2 robot. This can lead to full control over the robot's functions and persistent compromise across reboots. The vulnerability also enables remote code execution via malicious programs shared through the community marketplace, potentially affecting multiple robots that import such programs.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should restrict local access to the Android device running the Unitree Go2 app and avoid importing programs from untrusted sources in the community marketplace. Monitoring for updates from UnitreeRobotics is recommended to apply any forthcoming patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-19T19:51:07.327Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a0a43885912abc71d61abb
Added to database: 2/26/2026, 7:51:20 PM
Last enriched: 5/26/2026, 7:42:55 AM
Last updated: 5/29/2026, 4:19:15 PM
Views: 219
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.