CVE-2026-1442
Published: 27 February 2026
Summary
CVE-2026-1442 is a high-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Unitree Go2 Edu Standard Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Firmware (T1542.001); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SC-12 (Cryptographic Key Establishment and Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements integrity verification mechanisms such as cryptographic hashes or digital signatures to detect and prevent installation of tampered firmware updates.
Requires firmware update components to be digitally signed, ensuring devices only trust and apply authentic, untampered updates from authorized sources.
Establishes and manages cryptographic keys used for firmware update encryption securely, preventing attacker access to key material needed for tampering.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak hardcoded crypto in firmware updates directly enables creation and trusted installation of malicious firmware images loaded at boot.
NVD Description
Since the encryption algorithm used to protect firmware updates is itself encrypted using key material available to an attacker (or anyone paying attention), the firmware updates may be altered by an unauthorized user, and then trusted by a Unitree product,…
more
such as the Unitree Go2 and other models. This issue appears to affect all of Unitree’s current offerings as of February 26, 2026, and so should be considered a vulnerability in both the firmware generation and extraction processes. At the time of this release, there is no publicly-documented mechanism to subvert the update process and insert poisoned firmware packages without the equipment owner’s knowledge.
Deeper analysisAI
CVE-2026-1442 affects the firmware update process in Unitree robotics products, including the Unitree Go2 and all current offerings as of February 26, 2026. The encryption algorithm used to protect these updates relies on key material available to attackers or anyone paying attention, enabling unauthorized alteration of firmware packages. Devices trust these tampered updates, constituting a vulnerability in both firmware generation and extraction processes. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-321.
An attacker with local access can exploit this vulnerability with low complexity, no privileges required, but needing user interaction, such as convincing the equipment owner to apply a modified update. Successful exploitation allows insertion of altered firmware that the device accepts as legitimate, potentially compromising confidentiality, integrity, and availability to a high degree. At the time of disclosure on February 27, 2026, no publicly-documented mechanism existed to subvert the update process without the owner's knowledge.
References point to a GitHub repository (UniTEABag) and discussions on LinkedIn and X, which appear to detail the issue and possibly include proof-of-concept demonstrations, but no vendor advisories or patches are specified in the available information.
Details
- CWE(s)