Description
The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number.
Published: 2026-06-12
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from hard‑coded MQTT broker credentials embedded in the Yarbo Android and iOS apps. Because the same credentials are used for every device, an attacker who can extract them from the app binary gains unrestricted read access to all robot telemetry topics and write access to any robot command topic using only the robot serial number. This enables complete observation of the global robot fleet and the ability to issue arbitrary commands to individual robots.

Affected Systems

The affected entities are the Yarbo Android and iOS mobile applications and the Yarbo Cloud MQTT infrastructure. All current versions of the mobile app, prior to update 3.17.4, contain the hard‑coded credentials. The corresponding cloud broker services receive connections authenticated with these credentials.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the absence of the vulnerability in the CISA KEV catalog means it has not yet been publicly exploited, though the EPSS score is not provided. Attackers can exploit this flaw remotely by simply extracting the credentials from a decompiled APK or IPA or via other reverse‑engineering techniques and then connecting to the MQTT brokers. Once authenticated, they can listen to every telemetry feed or command any robot, which poses a high risk to confidentiality, integrity, and availability of the fleet.

Generated by OpenCVE AI on June 12, 2026 at 15:27 UTC.

Remediation

Vendor Solution

Yarbo recommends users update the Yarbo mobile app to 3.17.4 or later. Server-side broker authorization will be enforced automatically upon deployment of the May 2026 update. No user action is required.

OpenCVE Recommended Actions

  • Install Yarbo mobile app version 3.17.4 or later to eliminate the hard‑coded credentials.
  • Confirm that server‑side broker authorization is active and enforced following the May 2026 update deployment.
  • Monitor MQTT broker logs for anomalous connections; deny any connections authenticated with legacy credentials.

Generated by OpenCVE AI on June 12, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Yarbo
Yarbo yarbo Android/ios Mobile Application
Yarbo yarbo Cloud Mqtt Infrastructure
Vendors & Products Yarbo
Yarbo yarbo Android/ios Mobile Application
Yarbo yarbo Cloud Mqtt Infrastructure

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number.
Title Yarbo Android/iOS Mobile Application and Cloud Infrastructure Use of Hard-coded Credentials
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Yarbo Yarbo Android/ios Mobile Application Yarbo Cloud Mqtt Infrastructure
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-12T15:35:50.875Z

Reserved: 2026-06-01T14:53:33.531Z

Link: CVE-2026-10557

cve-icon Vulnrichment

Updated: 2026-06-12T15:35:39.975Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T15:16:24.523

Modified: 2026-06-12T16:06:47.720

Link: CVE-2026-10557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:20:13Z

Weaknesses
  • CWE-798

    Use of Hard-coded Credentials