CVE-2026-7413

2026-05-07 11:00:26 AM CDT

CVE-2026-7413: Persistent undocumented backdoor access in Yarbo robot firmware v2.3.9

AHA! has discovered an issue affecting Yarbo robot firmware v2.3.9. This disclosure follows AHA!’s standard disclosure policy. Any questions about this disclosure should be directed to [email protected].

Affected products

Yarbo robot firmware v2.3.9 (April, 2026)

Executive summary

A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and survives factory reset and ordinary firmware updates.

CVE-2026-7414

2026-05-07 11:00:26 AM CDT

CVE-2026-7414: Hardcoded credentials in Yarbo robot firmware v2.3.9

AHA! has discovered an issue affecting Yarbo robot firmware v2.3.9. This disclosure follows AHA!’s standard disclosure policy. Any questions about this disclosure should be directed to [email protected].

Affected products

Yarbo robot firmware v2.3.9 (April, 2026)

Executive summary

Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them.

CVE-2026-7415

2026-05-07 11:00:26 AM CDT

CVE-2026-7415: Open MQTT orchestration without read/write ACLs in Yarbo robot firmware v2.3.9

AHA! has discovered an issue affecting Yarbo robot firmware v2.3.9. This disclosure follows AHA!’s standard disclosure policy. Any questions about this disclosure should be directed to [email protected].

Affected products

Yarbo robot firmware v2.3.9 (April, 2026)

Executive summary

The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind.

CVE-2026-4946

2026-03-25 12:55:26 PM CDT

CVE-2026-4946: NSA Ghidra Auto-Analysis Annotation Command Execution

A malicious binary can trigger arbitrary command execution in Ghidra when an analyst clicks on auto-generated comments.

AHA! has discovered an issue with Ghidra from the National Security Agency (NSA), and is publishing this disclosure in accordance with AHA!’s standard disclosure policy today, on March 25, 2026. CVE-2026-4946 has been assigned to this issue, based on the original vulnerability disclosure GHSA-mc3p-mq2p-xw6v and demonstrated at a regular AHA! meeting by the discoverers.

CVE-2026-1442

2026-02-26 9:13:26 PM CDT

CVE-2026-1442: Unitree UPK files Hard-Coded Key

AHA! has discovered an issue with UPK files produced by Unitree, and is publishing this disclosure in accordance with AHA!’s standard disclosure policy today, on Februrary 28, 2026. CVE-2026-1442 has been assigned to this issue, as has GCVE-1337-2025-00000000000000000000000000000000000000000000000001111111111110101111111111000000000000000000000000000000000000000000000000000000101.

This vulnerability is estimated to have a CVSSv31 rating of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (7.8, High) and the relevant SSVC vectors are Exploitation: PoC and Technical Impact: Total. This issue is an instance of [CWE-321].