CVE-2026-27510
Published: 26 February 2026
Description
Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android application stores programs in a local…
more
SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py executes the supplied Python as root without integrity verification or content validation. An attacker with local access to the Android device can tamper with the stored programme record to inject arbitrary Python that executes when the user triggers the program via a controller keybinding, and the malicious binding persists across reboots. Additionally, a malicious program shared through the application's community marketplace can result in arbitrary code execution on any robot that imports and runs it.
Mitigating Controls (NIST 800-53 r5)AI
SI-7 mandates integrity verification mechanisms for software, firmware, and information, directly addressing the absence of checks on user-supplied Python programs before root execution on the robot.
SI-10 requires validation of all information inputs, preventing injection of arbitrary malicious Python code via tampering with the Android app's SQLite database programme_text field.
SC-18 establishes controls and approval processes for mobile code execution, mitigating risks from unverified user-created programs transmitted from the app or marketplace to the robot.
Security SummaryAI
CVE-2026-27510 is a remote code execution vulnerability (CWE-345: Insufficient Verification of Data Authenticity) affecting Unitree Go2 firmware versions 1.1.7 through 1.1.11 when paired with the Unitree Go2 Android application (com.unitree.doggo2). The issue arises from a lack of integrity protection and validation for user-created programs. The Android app stores these programs in a local SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py then executes the supplied Python code as root without any integrity verification or content validation.
Attackers with local access to the victim's Android device can tamper with the stored programme record in the database to inject arbitrary Python code. This malicious code executes on the robot with root privileges when the user triggers the program via a controller keybinding, and the tampered binding persists across device reboots. Additionally, attackers can distribute malicious programs through the application's community marketplace, enabling arbitrary code execution on any Unitree Go2 robot that imports and runs the program. The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, no privileges required, user interaction needed, and changed scope.
Advisories provide further details on the vulnerability, including https://boschko.ca/unitree-go2-rce/ and https://www.vulncheck.com/advisories/unitree-go2-mobile-program-tampering-enables-root-rce. The Unitree Go2 product page is available at https://shop.unitree.com/products/unitree-go2.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote code execution via exploitation of the robot's actuator_manager.py service (T1210), directly as root privileges (T1068), using injected Python code (T1059.006).