Description
Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
Published: 2026-02-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) expose a DDS topic without authentication, a weakness classified as CWE-306 (Missing Authentication for Critical Functionality). This lack of authentication allows an unauthenticated attacker on the same local network to publish a crafted message containing arbitrary Python code. The robot writes this code to disk under /unitree/etc/programming/ and binds it to a physical controller keybinding. When the key is pressed, the code executes as root and persists across reboots, granting the attacker persistent, full system control.

Affected Systems

UnitreeRobotics' Unitree Go2 robots running firmware versions V1.1.7, V1.1.8, V1.1.9, and the EDU variant V1.1.11 are affected. No other firmware versions are explicitly listed as affected.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not included in the CISA KEV catalog. The attack vector is network adjacent and requires no authentication; an attacker can simply join DDS domain 0 on the local network and publish the malicious payload. Persistence of the malicious keybinding across reboots, combined with execution as root, presents a severe threat if the device is exposed.

Generated by OpenCVE AI on May 26, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Unitree Go2 firmware to a version that implements DDS authentication for the "rt/api/programming_actuator/request" topic.
  • If a firmware update is unavailable, isolate the robot from the local network or block UDP traffic for DDS domain 0 to prevent unauthorized message publication.
  • Monitor the robot’s /unitree/etc/programming directory and controller keybindings for unexpected files or changes, and disable any newly created keybindings if discovered.

Generated by OpenCVE AI on May 26, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots. Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.

Thu, 12 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Unitree
Unitree go2
Unitree go2 Edu
Unitree go2 Edu Firmware
Unitree go2 Firmware
CPEs cpe:2.3:h:unitree:go2:-:*:*:*:*:*:*:*
cpe:2.3:h:unitree:go2_edu:-:*:*:*:*:*:*:*
cpe:2.3:o:unitree:go2_edu_firmware:1.1.11:*:*:*:*:*:*:*
cpe:2.3:o:unitree:go2_firmware:*:*:*:*:*:*:*:*
Vendors & Products Unitree
Unitree go2
Unitree go2 Edu
Unitree go2 Edu Firmware
Unitree go2 Firmware

Fri, 27 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Unitreerobotics
Unitreerobotics unitree Go2
Vendors & Products Unitreerobotics
Unitreerobotics unitree Go2

Thu, 26 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
Title Unitree Go2 Missing DDS Authentication Enables Adjacent RCE
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Unitree Go2 Go2 Edu Go2 Edu Firmware Go2 Firmware
Unitreerobotics Unitree Go2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T11:52:07.158Z

Reserved: 2026-02-19T19:51:07.327Z

Link: CVE-2026-27509

cve-icon Vulnrichment

Updated: 2026-02-27T17:53:43.111Z

cve-icon NVD

Status : Modified

Published: 2026-02-26T20:31:38.447

Modified: 2026-06-17T10:27:16.610

Link: CVE-2026-27509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:15:09Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function