CVE-2026-7415: Unauthenticated MQTT Access in Yarbo Robot Firmware

Vulnerability Overview CVE ID: CVE-2026-7415 Vulnerability Name: OPEN MQTT ORCHESTRATION WITHOUT READ/WRITE ACLS IN YARBO ROBOT FIRMWARE V2.3.9 Description: The MQTT broker configuration in Yarbo robot firmware v2.3.9 allows anonymous connections without topic-level read/write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or directly publish control messages to the robot without authentication or authorization. CVSSv3 Score: 9.8 (Critical) Related SSV Vectors: Exploitation: PoC, Technical Impact: Total Instance: CVE-380 Impact Scope Affected Product: Yarbo Robot Firmware v2.3.9 (April 2026) Vulnerability Details: The MQTT broker is configured by default with and lacks an ACL file, allowing any client to connect and freely publish or subscribe to any topic. Orchestration topics expose direct command channels (e.g., movement, configuration) as well as telemetry topics carrying sensor data, location, and operational logs. Attacker Value: An attacker can use the open MQTT broker on the local network or via NAT traversal proxies (see CVE-2026-7413) to passively enumerate active robots, read real-time telemetry data, and identify specific device targets. More critically, they can actively publish commands to control robot actuators or change configurations without credentials. Combined with CVE-2026-7413 and CVE-2026-7414, this open broker completes a fully unauthorized attack path: MQTT reveals and enumerates devices, hardcoded credentials provide authenticated management access, and a persistent backdoor provides a root shell. Remediation Vendor Action: Disable anonymous MQTT access, require client authentication, enforce topic-level ACLs, and restrict publish and subscribe permissions to authorized clients only. Temporary Mitigations: Block MQTT ports (default 1883/8883) at network boundaries, place devices in isolated VLANs, and monitor for unexpected MQTT broker connections. Proof of Concept Reference: See Bin4ry's original disclosure details Yarbo – NAT in my Back Yard Timeline March 2026: Initial analysis of the vendor-provided Android APK April 2026: Initial analysis of the vendor-provided robot filesystem April 12, 2026 (Sunday): Initial contact with the vendor and AHA! April 29, 2026 (Wednesday): CVE-2026-7415 reserved April 30, 2026 (Thursday): Demonstrated at AHA! conference 0x00eb May 7, 2026 (Thursday): Public disclosure of CVE-2026-7415 Credits Reporter: Andreas Makris (aka Bin4ry), via AHA! demonstration and disclosure

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-7415: Unauthenticated MQTT Access in Yarbo Robot Firmware

More from this source