Vulnerability Description
Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Unitree | Go2 Firmware | >= 1.1.7, <= 1.1.9 |
| Unitree | Go2 | - |
| Unitree | Go2 Edu Firmware | 1.1.11 |
| Unitree | Go2 Edu | - |
Related Weaknesses (CWE)
References
- https://boschko.ca/unitree-go2-rce/ExploitThird Party Advisory
- https://shop.unitree.com/products/unitree-go2Product
- https://www.vulncheck.com/advisories/unitree-go2-missing-dds-authentication-enabThird Party Advisory
FAQ
What is CVE-2026-27509?
CVE-2026-27509 is a vulnerability with a CVSS score of 8.0 (HIGH). Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled ...
How severe is CVE-2026-27509?
CVE-2026-27509 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27509?
Check the references section above for vendor advisories and patch information. Affected products include: Unitree Go2 Firmware, Unitree Go2, Unitree Go2 Edu Firmware, Unitree Go2 Edu.