CVE Catalog

CVE-2026-10557

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Summary

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation.

Risk Assessment

The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. This poses a risk of unauthorized access to telemetry data and the ability to issue commands to any robot.

Recommendation

It is recommended to remove hard-coded credentials from the application and implement authorization mechanisms that are unique to each user and device.

Original NVD description (English source)

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS