Yarbo Android/iOS Mobile Application and Cloud Infrastructure

CRITICAL

CVSS 9.8

Date 2026-06-11T06:00:00+00:00

Source cisa-csaf

Published by CISA

// Description

Successful exploitation of these vulnerabilities could allow an attacker to obtain hard-coded credentials, gain access to telemetry data, and potentially send operational commands to the robot fleet.

// Vulnerabilities (2)

CVE ID	CVSS Score	Severity	Description
CVE-2026-10557	9.8	critical	The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number..
CVE-2026-7368	8.1	high	The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot's command topic using only the robot's serial number (disclosed in the telemetry stream). Even after removal of hard-coded credentials from the app, a single compromised credential could still provide fleet-wide access without per-device access controls.

// Remediations (1)

Mitigation: Yarbo recommends users update the Yarbo mobile app to 3.17.4 or later. Server-side broker authorizat

Yarbo recommends users update the Yarbo mobile app to 3.17.4 or later. Server-side broker authorization will be enforced automatically upon deployment of the May 2026 update. No user action is required.

Yarbo Android/iOS Mobile Application and Cloud Infrastructure

// Description

// Vulnerabilities (2)

// Remediations (1)

// References