CVE-2026-27509

Name of the Vulnerable Software and Affected Versions Unitree Go2 firmware versions 1.1.7 through 1.1.9 and 1.1.11 (EDU)

Description The affected firmware does not implement DDS authentication or authorization for the Eclipse CycloneDDS topic /rt/api/programming actuator/request managed by actuator manager.py. An attacker positioned on the same network, without needing to authenticate, can join DDS domain 0 and send a crafted message (api id=1002) containing arbitrary Python code. This code is then written to the disk at /unitree/etc/programming/ and linked to a keybinding on a physical controller. When this keybinding is activated, the code executes with root privileges, and this binding remains active even after reboots.

Recommendations Update firmware to a version beyond 1.1.11 (EDU).