CVE-2026-27509
Published: 26 February 2026
Summary
CVE-2026-27509 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Unitree Go2 Firmware. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces access control policies to require authentication and authorization for publishing to the DDS topic rt/api/programming_actuator/request, directly preventing unauthenticated message injection.
Requires identification and authentication of devices joining DDS domain 0, blocking network-adjacent unauthenticated attackers from participating.
Validates the content of incoming DDS messages with api_id=1002 to reject arbitrary Python code payloads before writing to disk.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing DDS authentication enables unauthenticated network-adjacent publishing to actuator_manager.py, directly facilitating T1190 exploitation of the exposed service and T1059.006 execution of attacker-supplied Python code that achieves root persistence.
NVD Description
Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message…
more
(api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
Deeper analysisAI
CVE-2026-27509 affects Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU), stemming from a lack of DDS authentication or authorization in the Eclipse CycloneDDS topic rt/api/programming_actuator/request, which is handled by actuator_manager.py. This vulnerability, classified under CWE-306 (Missing Authentication for Critical Function), has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). It was published on 2026-02-26.
A network-adjacent, unauthenticated attacker can exploit this by joining DDS domain 0 and publishing a crafted message with api_id=1002 containing arbitrary Python code. The Unitree Go2 robot processes this message by writing the code to disk under /unitree/etc/programming/ and binding it to a physical controller keybinding. When the keybinding is pressed, the code executes with root privileges, and the binding persists across reboots, enabling high-impact confidentiality, integrity, and availability violations.
Advisories and additional details are available in the following references: https://boschko.ca/unitree-go2-rce/, https://shop.unitree.com/products/unitree-go2, and https://www.vulncheck.com/advisories/unitree-go2-missing-dds-authentication-enables-adjacent-rce.
Details
- CWE(s)