Home

Description

Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.

PUBLISHED Reserved 2026-02-19 | Published 2026-02-26 | Updated 2026-02-26 | Assigner VulnCheck




HIGH: 8.5CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unaffected

1.1.7 (semver)
affected

1.1.11 (EDU only) (semver)
affected

Credits

Olivier Laflamme finder

Ruikai Peng finder

References

boschko.ca/unitree-go2-rce/ technical-description exploit

shop.unitree.com/products/unitree-go2 product

www.vulncheck.com/...dds-authentication-enables-adjacent-rce third-party-advisory

cve.org (CVE-2026-27509)

nvd.nist.gov (CVE-2026-27509)

Download JSON