CVE-2026-27510

Name of the Vulnerable Software and Affected Versions Unitree Go2 firmware versions 1.1.7 through 1.1.11

Description Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are susceptible to remote code execution because of a lack of integrity protection and validation of user-created programs. The Android application stores programs in a local SQLite database (unitree go2.db, table dog programme) and transmits the programme text content, including the pyCode field, to the robot. The robot’s actuator manager.py executes the supplied Python as root without integrity verification or content validation. An attacker with local access to the Android device can manipulate the stored program record to inject arbitrary Python that executes when the user triggers the program via a controller keybinding, and the malicious binding persists across reboots. Additionally, a malicious program shared through the application’s community marketplace can result in arbitrary code execution on any robot that imports and runs it.

Recommendations For versions 1.1.7 through 1.1.11, avoid importing programs from untrusted sources through the application's community marketplace. For versions 1.1.7 through 1.1.11, restrict local access to the Android device to prevent tampering with the stored program records. For versions 1.1.7 through 1.1.11, as a temporary workaround, consider disabling or restricting the use of the actuator manager.py function until a patch is available.