CVE-2026-27509

HIGH 8.0

Unitree Go2 Missing DDS Authentication Enables Adjacent RCE

CVSS Score

8.0

EPSS Score

0.0%

EPSS Percentile

0th

Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU) do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programming_actuator/request handled by actuator_manager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publish a crafted message (api_id=1002) containing arbitrary Python, which the robot writes to disk under /unitree/etc/programming/ and binds to a physical controller keybinding. When the keybinding is pressed, the code executes as root and the binding persists across reboots.

CWE	CWE-306
Vendor	unitreerobotics
Product	unitree go2
Published	Feb 26, 2026
Last Updated	Feb 27, 2026

Stay Ahead of the Next One

Get instant alerts for unitreerobotics unitree go2

Be the first to know when new high vulnerabilities affecting unitreerobotics unitree go2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

UnitreeRobotics / Unitree Go2

1.1.7 ≤ 1.1.9 1.1.11 (EDU only)

References

NVD ↗ CVE.org ↗ EPSS Data ↗

boschko.ca: https://boschko.ca/unitree-go2-rce/ shop.unitree.com: https://shop.unitree.com/products/unitree-go2 vulncheck.com: https://www.vulncheck.com/advisories/unitree-go2-missing-dds-authentication-enables-adjacent-rce

Credits

Olivier Laflamme Ruikai Peng