CVE-2026-1442 - Vulnerability Details

- Unitree UPK files Hard-Coded Key

Description

Since the encryption algorithm used to protect firmware updates is itself encrypted using key material available to an attacker (or anyone paying attention), the firmware updates may be altered by an unauthorized user, and then trusted by a Unitree product, such as the Unitree Go2 and other models. This issue appears to affect all of Unitree’s current offerings as of February 26, 2026, and so should be considered a vulnerability in both the firmware generation and extraction processes. At the time of this release, there is no publicly-documented mechanism to subvert the update process and insert poisoned firmware packages without the equipment owner’s knowledge.

Published: 2026-02-27

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Based on the description, it is inferred that the vulnerability arises from a hard‑coded key used in the encryption of Unitree firmware update files, allowing an attacker with access to the key material to alter firmware packages. This flaw permits the delivery of malicious firmware to affected units, potentially leading to unauthorized code execution or other malicious behavior once the firmware is installed. The weakness is rooted in key management practices and is captured as CWE‑321.

Affected Systems

All current Unitree robotic models, including the Go1 Air, Go1 Pro, Go2 Air, Go2 Edu Plus, Go2 Edu Standard, Go2 Pro, Go2 X, and their respective firmware versions, are impacted because the issue stems from the firmware generation and extraction processes across the product line.

Risk and Exploitability

The CVSS score is 7.8, indicating high severity, while the EPSS score is below 1%, suggesting a very low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector involves access to the update distribution mechanism or a network path that allows delivery of a crafted firmware; the official description notes that no publicly documented method exists yet to inject poisoned firmware without the owner’s knowledge, implying that successful exploitation may require elevated access or sophisticated intrusion techniques.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unitree

UPK

unaffected

Version	Status	Constraints
`0`	affected	≤ 20260226v1

Configuration 1 [-]

AND

cpe:2.3:o:unitree:go2_edu_standard_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:unitree:go2_edu_standard:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:unitree:go2_air_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:unitree:go2_air:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:unitree:go2_pro_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:unitree:go2_pro:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:unitree:go2_x_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:unitree:go2_x:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:unitree:go1_air_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:unitree:go1_air:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:unitree:go1_pro_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:unitree:go1_pro:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:unitree:go2_edu_plus_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:unitree:go2_edu_plus:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Unitree

Upk

100%

Version	Status	Scheme	Platform
`[0,20260226v1]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the robot to a firmware release that removes the hard‑coded key or otherwise implements proper key management, as provided by Unitree after the advisory.
Verify any firmware package against the official digital signature or secure boot chain before installation to ensure authenticity.
Configure network or device settings to restrict firmware updates to authenticated, trusted servers only, blocking any unverified sources.

Generated by OpenCVE AI on April 18, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
http://takeonme.org/gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001111111111110101111111111000000000000000000000000000000000000000000000000000000101
https://github.com/Bin4ry/UniTEABag
https://www.linkedin.com/posts/kevin-finisterre-6431069a_in-case-you-want-to-teabag-unitree-robotics-activity-7432984361014091776-zB4D
https://x.com/bin4rydigit/status/2027197985625420242

History

Wed, 11 Mar 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Unitree go1 Air Unitree go1 Air Firmware Unitree go1 Pro Unitree go1 Pro Firmware Unitree go2 Air Unitree go2 Air Firmware Unitree go2 Edu Plus Unitree go2 Edu Plus Firmware Unitree go2 Edu Standard Unitree go2 Edu Standard Firmware Unitree go2 Pro Unitree go2 Pro Firmware Unitree go2 X Unitree go2 X Firmware
CPEs		cpe:2.3:h:unitree:go1_air:-:::::::* cpe:2.3:h:unitree:go1_pro:-:::::::* cpe:2.3:h:unitree:go2_air:-:::::::* cpe:2.3:h:unitree:go2_edu_plus:-:::::::* cpe:2.3:h:unitree:go2_edu_standard:-:::::::* cpe:2.3:h:unitree:go2_pro:-:::::::* cpe:2.3:h:unitree:go2_x:-:::::::* cpe:2.3:o:unitree:go1_air_firmware:-:::::::* cpe:2.3:o:unitree:go1_pro_firmware:-:::::::* cpe:2.3:o:unitree:go2_air_firmware:-:::::::* cpe:2.3:o:unitree:go2_edu_plus_firmware:-:::::::* cpe:2.3:o:unitree:go2_edu_standard_firmware:-:::::::* cpe:2.3:o:unitree:go2_pro_firmware:-:::::::* cpe:2.3:o:unitree:go2_x_firmware:-:::::::*
Vendors & Products		Unitree go1 Air Unitree go1 Air Firmware Unitree go1 Pro Unitree go1 Pro Firmware Unitree go2 Air Unitree go2 Air Firmware Unitree go2 Edu Plus Unitree go2 Edu Plus Firmware Unitree go2 Edu Standard Unitree go2 Edu Standard Firmware Unitree go2 Pro Unitree go2 Pro Firmware Unitree go2 X Unitree go2 X Firmware

Fri, 27 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 27 Feb 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Unitree Unitree upk
Vendors & Products		Unitree Unitree upk

Fri, 27 Feb 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		Since the encryption algorithm used to protect firmware updates is itself encrypted using key material available to an attacker (or anyone paying attention), the firmware updates may be altered by an unauthorized user, and then trusted by a Unitree product, such as the Unitree Go2 and other models. This issue appears to affect all of Unitree’s current offerings as of February 26, 2026, and so should be considered a vulnerability in both the firmware generation and extraction processes. At the time of this release, there is no publicly-documented mechanism to subvert the update process and insert poisoned firmware packages without the equipment owner’s knowledge.
Title		Unitree UPK files Hard-Coded Key
Weaknesses		CWE-321
References		http://takeonme.org/gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000001111111111110101111111111000000000000000000000000000000000000000000000000000000101 https://github.com/Bin4ry/UniTEABag https://www.linkedin.com/posts/kevin-finisterre-6431069a_in-case-you-want-to-teabag-unitree-robotics-activity-7432984361014091776-zB4D https://x.com/bin4rydigit/status/2027197985625420242
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Unitree Go1 Air Go1 Air Firmware Go1 Pro Go1 Pro Firmware Go2 Air Go2 Air Firmware Go2 Edu Plus Go2 Edu Plus Firmware Go2 Edu Standard Go2 Edu Standard Firmware Go2 Pro Go2 Pro Firmware Go2 X Go2 X Firmware Upk

MITRE

Status: PUBLISHED

Assigner: AHA

Published: 2026-02-27T04:28:46.955Z

Updated: 2026-02-27T15:58:20.444Z

Reserved: 2026-01-26T13:26:13.580Z

Link: CVE-2026-1442

Vulnrichment

Updated: 2026-02-27T15:56:36.997Z

NVD

Status : Analyzed

Published: 2026-02-27T05:18:18.713

Modified: 2026-03-11T19:40:00.553

Link: CVE-2026-1442

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses

CWE-321

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object