CVE-2026-27509

CVSS v3.1

8.0

Vector

AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Unitree Go2 firmware versions 1.1.7 through 1.1.9 and 1.1.11 (EDU)

Description The affected firmware does not implement DDS authentication or authorization for the Eclipse CycloneDDS topic

/rt/api/programming actuator/request

managed by

actuator manager.py

. An attacker positioned on the same network, without needing to authenticate, can join DDS domain 0 and send a crafted message (

api id=1002

) containing arbitrary Python code. This code is then written to the disk at

/unitree/etc/programming/

and linked to a keybinding on a physical controller. When this keybinding is activated, the code executes with root privileges, and this binding remains active even after reboots.

Recommendations Update firmware to a version beyond 1.1.11 (EDU).

Exploit

Fix

RCE

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2026-27509

Affected Products

Eclipse Cyclonedds

Unitree Go2

CVE-2026-27509

Weakness Enumeration

Related Identifiers

Affected Products

References · 20