CVE-2026-7415 (GCVE-0-2026-7415)

Vulnerability from cvelistv5 – Published: 2026-05-07 16:11 – Updated: 2026-05-07 17:04
VLAI?
Title
Open MQTT orchestration without read/write ACLs in Yarbo robot firmware
Summary
The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-306 - Missing authentication for critical function
Assigner
AHA
References
Impacted products
Vendor Product Version
Yarbo Firmware Affected: 0 , ≤ 2.3.9 (semver)
Create a notification for this product.
Date Public ?
2026-05-07 16:00
Credits
Andreas Makris (aka Bin4ry) todb of AHA!
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7415",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-07T17:04:20.271427Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-07T17:04:31.177Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Bin4ry/yarbo-nat-in-my-back-yard"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Firmware",
          "vendor": "Yarbo",
          "versions": [
            {
              "lessThanOrEqual": "2.3.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Andreas Makris (aka Bin4ry)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "todb of AHA!"
        }
      ],
      "datePublic": "2026-05-07T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind."
            }
          ],
          "value": "The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing authentication for critical function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T16:11:16.943Z",
        "orgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
        "shortName": "AHA"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/Bin4ry/yarbo-nat-in-my-back-yard"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000000111111111100111111111110000000000000000000000000000000000000000000000000000001001"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Open MQTT orchestration without read/write ACLs in Yarbo robot firmware",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
    "assignerShortName": "AHA",
    "cveId": "CVE-2026-7415",
    "datePublished": "2026-05-07T16:11:16.943Z",
    "dateReserved": "2026-04-29T13:55:11.141Z",
    "dateUpdated": "2026-05-07T17:04:31.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-7415",
      "date": "2026-05-11",
      "epss": "0.0003",
      "percentile": "0.08617"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-7415\",\"sourceIdentifier\":\"cve@takeonme.org\",\"published\":\"2026-05-07T17:15:59.570\",\"lastModified\":\"2026-05-07T18:46:25.867\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@takeonme.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cve@takeonme.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"references\":[{\"url\":\"https://github.com/Bin4ry/yarbo-nat-in-my-back-yard\",\"source\":\"cve@takeonme.org\"},{\"url\":\"https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000000111111111100111111111110000000000000000000000000000000000000000000000000000001001\",\"source\":\"cve@takeonme.org\"},{\"url\":\"https://github.com/Bin4ry/yarbo-nat-in-my-back-yard\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-7415\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-07T17:04:20.271427Z\"}}}], \"references\": [{\"url\": \"https://github.com/Bin4ry/yarbo-nat-in-my-back-yard\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-07T17:03:31.152Z\"}}], \"cna\": {\"title\": \"Open MQTT orchestration without read/write ACLs in Yarbo robot firmware\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Andreas Makris (aka Bin4ry)\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"todb of AHA!\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Yarbo\", \"product\": \"Firmware\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.3.9\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-05-07T16:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/Bin4ry/yarbo-nat-in-my-back-yard\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000000111111111100111111111110000000000000000000000000000000000000000000000000000001001\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306 Missing authentication for critical function\"}]}], \"providerMetadata\": {\"orgId\": \"26969f82-7e87-44d8-9cb5-f6fb926ddd43\", \"shortName\": \"AHA\", \"dateUpdated\": \"2026-05-07T16:11:16.943Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-7415\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-07T17:04:31.177Z\", \"dateReserved\": \"2026-04-29T13:55:11.141Z\", \"assignerOrgId\": \"26969f82-7e87-44d8-9cb5-f6fb926ddd43\", \"datePublished\": \"2026-05-07T16:11:16.943Z\", \"assignerShortName\": \"AHA\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.