Summary
Successful exploitation of these vulnerabilities could allow an attacker to obtain hard-coded credentials, gain access to telemetry data, and potentially send operational commands to the robot fleet.
The following versions of Yarbo Android/iOS Mobile Application and Cloud Infrastructure are affected:
- Yarbo Android/IOS mobile application
- Cloud MQTT infrastructure vers:all/*
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.8 | Yarbo | Yarbo Android/iOS Mobile Application and Cloud Infrastructure | Use of Hard-coded Credentials, Missing Authorization |
Background
- Critical Infrastructure Sectors: Commercial Facilities
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: China
Vulnerabilities
CVE-2026-10557
The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot’s command topic using only the robot’s serial number..
Affected Products
Yarbo Android/iOS Mobile Application and Cloud Infrastructure
Yarbo
Yarbo Yarbo Android/IOS mobile application: <v3.17.4, Yarbo Cloud MQTT infrastructure: vers:all/*
known_affected
Remediations
Mitigation
Yarbo recommends users update the Yarbo mobile app to 3.17.4 or later. Server-side broker authorization will be enforced automatically upon deployment of the May 2026 update. No user action is required.
Relevant CWE: CWE-798 Use of Hard-coded Credentials
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 4.0 | 9.3 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CVE-2026-7368
The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot’s command topic using only the robot’s serial number (disclosed in the telemetry stream). Even after removal of hard-coded credentials from the app, a single compromised credential could still provide fleet-wide access without per-device access controls.
Affected Products
Yarbo Android/iOS Mobile Application and Cloud Infrastructure
Yarbo
Yarbo Yarbo Android/IOS mobile application: <v3.17.4, Yarbo Cloud MQTT infrastructure: vers:all/*
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: