Critical Yarbo Robot Vulnerability Exposes Global Fleet

Security researchers have disclosed a serious Yarbo robot vulnerability that could hand attackers control over thousands of yard robots worldwide. The flaw lives inside the Yarbo Android and iOS apps. Specifically, it stems from hard-coded MQTT credentials baked into the application binary.

Hard-Coded Credentials Open the Door

The first issue, tracked as CVE-2026-10557, carries a critical CVSS score of 9.8. Each Yarbo mobile app ships with MQTT credentials that are identical for every user and every device. Moreover, those secrets sit right inside the app package.

As a result, anyone can pull them out through simple APK decompilation. Once recovered, the credentials unlock the cloud MQTT brokers that carry live telemetry for the entire global robot fleet.

Therefore, an attacker can subscribe to every robot’s telemetry stream. Worse still, they can publish commands to any robot using only its serial number.

Missing Authorization Widens the Risk

The second flaw, CVE-2026-7368, scores 8.1 and adds another layer of danger. The Yarbo cloud does not enforce per-device or per-user authorization checks.

Consequently, any valid login grants fleet-wide access. Even after Yarbo strips the shared secrets, one leaked credential could still expose every robot. This Yarbo robot vulnerability therefore reaches far beyond a single careless secret.

What Owners Should Do Now

Yarbo urges users to update the mobile app to version 3.17.4 or later. In addition, the vendor will enforce server-side broker authorization automatically. That fix arrives with the May 2026 cloud update, so owners need to take no further action.

For more detail, you can review the official CISA ICS advisory covering both issues.

Both CWE-798 and CWE-862 underpin these weaknesses. Hard-coded secrets and missing checks remain common traps for connected devices. Yarbo owners should patch quickly, because exposed credentials rarely stay private for long.