CVE-2026-27510

Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android application stores programs in a local SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py executes the supplied Python as root without integrity verification or content validation. An attacker with local access to the Android device can tamper with the stored programme record to inject arbitrary Python that executes when the user triggers the program via a controller keybinding, and the malicious binding persists across reboots. Additionally, a malicious program shared through the application's community marketplace can result in arbitrary code execution on any robot that imports and runs it.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://boschko.ca/unitree-go2-rce/	Exploit Third Party Advisory
https://shop.unitree.com/products/unitree-go2	Product
https://www.vulncheck.com/advisories/unitree-go2-mobile-program-tampering-enables-root-rce	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:unitree:go2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:unitree:go2:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-26 20:31

Updated : 2026-03-12 20:03

NVD link : CVE-2026-27510

Mitre link : CVE-2026-27510

CVE.ORG link : CVE-2026-27510

JSON object : View

Products Affected

unitree

go2
go2_firmware

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2026-27510", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-26T20:31:38.663", "references": [{"url": "https://boschko.ca/unitree-go2-rce/", "tags": ["Exploit", "Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://shop.unitree.com/products/unitree-go2", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/unitree-go2-mobile-program-tampering-enables-root-rce", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android application stores programs in a local SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py executes the supplied Python as root without integrity verification or content validation. An attacker with local access to the Android device can tamper with the stored programme record to inject arbitrary Python that executes when the user triggers the program via a controller keybinding, and the malicious binding persists across reboots. Additionally, a malicious program shared through the application's community marketplace can result in arbitrary code execution on any robot that imports and runs it."}, {"lang": "es", "value": "Las versiones de firmware de Unitree Go2 1.1.7 a 1.1.11, cuando se usan con la aplicaci\u00f3n de Android Unitree Go2 (com.unitree.doggo2), son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo debido a la falta de protecci\u00f3n de integridad y validaci\u00f3n de programas creados por el usuario. La aplicaci\u00f3n de Android almacena programas en una base de datos SQLite local (unitree_go2.db, tabla dog_programme) y transmite el contenido de programme_text, incluido el campo pyCode, al robot. El archivo actuator_manager.py del robot ejecuta el Python suministrado como root sin verificaci\u00f3n de integridad o validaci\u00f3n de contenido. Un atacante con acceso local al dispositivo Android puede manipular el registro de programa almacenado para inyectar Python arbitrario que se ejecuta cuando el usuario activa el programa a trav\u00e9s de una asignaci\u00f3n de tecla del controlador, y la asignaci\u00f3n maliciosa persiste a trav\u00e9s de los reinicios. Adem\u00e1s, un programa malicioso compartido a trav\u00e9s del mercado comunitario de la aplicaci\u00f3n puede resultar en la ejecuci\u00f3n de c\u00f3digo arbitrario en cualquier robot que lo importe y ejecute."}], "lastModified": "2026-03-12T20:03:22.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:unitree:go2_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E214A36-96C5-47AB-89FA-5891DFC99288", "versionEndIncluding": "1.1.11", "versionStartIncluding": "1.1.7"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:unitree:go2:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "372BB5C0-26D8-4E99-A63E-F4FB2D0A50C2"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "disclosure@vulncheck.com"}