Listen to this Post
CVE-2026-27510 is a vulnerability in the Unitree Go2 robotic dog that allows an attacker to execute arbitrary code with root privileges . The flaw resides in how the Unitree Go2 Android application (com.unitree.doggo2) handles user-created programs. The app stores these programs, which are essentially Python scripts, in a local SQLite database file named `unitree_go2.db` within a table called `dog_programme` . When a user triggers a program, the app transmits the `programme_text` content, specifically the `pyCode` field, to the robot . The robot’s `actuator_manager.py` process receives this code and executes it as the root user without performing any integrity or security checks . An attacker with local access to the paired Android device can directly tamper with the `pyCode` field in the SQLite database, injecting malicious Python commands . When the user subsequently activates the program via a controller keybinding, the malicious code executes as root, and this binding persists across reboots . Furthermore, a malicious program shared through the app’s community marketplace can compromise any robot that imports and runs it, enabling a supply-chain attack .
dailycve form:
Platform: Unitree Go2
Version: 1.1.7 – 1.1.11
Vulnerability : Code Injection
Severity: MEDIUM (CVSS 6.4)
date: 2026-02-26
Prediction: Patch released 2026-02-24
What Undercode Say:
Analytics
The vulnerability is caused by missing integrity verification (CWE-345) of user-created programs . The attack vector is network-based, requires no privileges, but does require user interaction, such as importing a malicious program or pressing a controller button . The CVSS v4.0 score from the CNA (VulnCheck) is 6.4 (Medium), with a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H, indicating a high impact on system confidentiality, integrity, and availability . A CVSS v3.1 score of 9.6 (Critical) was also assigned, reflecting the severity of the RCE . The issue affects the Unitree Go2 firmware versions 1.1.7 through 1.1.11 .
How Exploit:
- Gain access to the Android device with the Unitree Go2 app installed.
- Navigate to the app’s local data directory and access the SQLite database:
`sqlite3 /data/data/com.unitree.doggo2/databases/unitree_go2.db`
- Query and update the target program’s Python code in the `dog_programme` table:
`UPDATE dog_programme SET pyCode = ‘import os; os.system(“malicious_command”)’ WHERE programme_id = [bash];`
4. Trigger the program via the robot’s controller to execute the payload as root .
Protection from this CVE
Unitree released an OTA firmware update, version 1.1.13, which addresses CVE-2026-27510 by implementing proper validation and integrity checks for scripts before execution . Users are strongly advised to update their robot’s firmware immediately via the official Unitree Go2 application. Until the update is applied, it is recommended to avoid importing programs from untrusted sources within the community marketplace and to restrict physical access to the paired Android device . Isolating the robot on a dedicated, secure Wi-Fi network can also limit exposure .
Impact
Successful exploitation allows an attacker to execute arbitrary Python code with root privileges on the Unitree Go2 robot . This grants full control over the device, enabling the attacker to access sensors, cameras, and motors, and to pivot to other devices on the network . The attack can be achieved either by tampering with the Android app’s local database or by distributing a malicious program through the official community marketplace . Once a malicious program is bound to a controller key, the code execution persists across reboots, establishing a long-term backdoor .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

