The Yarbo cloud service does not enforce authorization on a per-device or per-user basis. Clients with valid credentials can subscribe to wildcard topics that cover all robots globally and publish commands to any robot's command topic by using the robot's serial number, which is exposed in telemetry data. This design flaw means that possession of any valid credential—whether shared hard-coded credentials or legitimate per-user credentials—enables broad unauthorized access to the entire fleet of robots. Even after removing hard-coded credentials from the application, the lack of per-device access controls allows a single compromised credential to provide fleet-wide control.

An attacker with any valid credential can gain unauthorized access to all robots managed by the Yarbo cloud service. They can subscribe to all telemetry topics and send commands to any robot globally, potentially leading to unauthorized control or disruption of robot operations. This compromises confidentiality and integrity of the robot fleet's command and telemetry data. The vulnerability does not require user interaction and has low attack complexity, increasing the risk of exploitation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor the vendor's announcements for updates. Until a fix is available, restricting credential distribution and monitoring for unusual access patterns may help reduce risk.