CVE-2026-27509

Name of the Vulnerable Software and Affected Versions Unitree Go2 versions V1.1.7 through V1.1.9 Unitree Go2 version V1.1.11 (EDU)

Description Lack of DDS authentication and authorization for the Eclipse CycloneDDS topic "rt/api/programming actuator/request" handled by actuator manager.py allows a network-adjacent, unauthenticated attacker to join DDS domain 0. By publishing a crafted message with the variable api id=1002 containing arbitrary Python code, the attacker can cause the robot to write this code to the disk under /unitree/etc/programming/ and bind it to a physical controller keybinding. Once the keybinding is pressed, the code executes with root privileges, and the binding remains active after reboots.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.