CVE-2026-27510

Name of the Vulnerable Software and Affected Versions Unitree Go2 versions 1.1.7 through 1.1.11

Description Remote code execution is possible due to a lack of integrity protection and validation of user-created programs when used with the Unitree Go2 Android application (com.unitree.doggo2). The application stores programs in a local SQLite database (unitree go2.db, table dog programme) and transmits the programme text content, specifically the pyCode field, to the robot. The robot's actuator manager.py function executes the provided Python code as root without verifying its integrity or validating the content. An attacker with local access to the Android device can manipulate the stored program record to inject arbitrary Python code, which executes when the user triggers the program via a controller keybinding; this malicious binding persists after reboots. Furthermore, importing and running a malicious program shared through the application's community marketplace can lead to arbitrary code execution on the robot.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.