CVE-2026-27510 Overview
CVE-2026-27510 is a remote code execution vulnerability affecting Unitree Go2 quadruped robot firmware versions 1.1.7 through 1.1.11 when used with the Unitree Go2 Android application (com.unitree.doggo2). The vulnerability stems from missing integrity protection and validation of user-created programs, allowing attackers to inject arbitrary Python code that executes with root privileges on the robot.
The Android application stores programs in a local SQLite database (unitree_go2.db, table dog_programme) and transmits the programme_text content, including the pyCode field, to the robot. The robot's actuator_manager.py executes the supplied Python as root without integrity verification or content validation. This vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity).
Critical Impact
Attackers can achieve persistent root-level code execution on Unitree Go2 robots through tampered program records or malicious community marketplace programs, with malicious bindings persisting across device reboots.
Affected Products
- Unitree Go2 Firmware versions 1.1.7 through 1.1.11
- Unitree Go2 Android Application (com.unitree.doggo2)
- Unitree Go2 Quadruped Robot Platform
Discovery Timeline
- 2026-02-26 - CVE-2026-27510 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27510
Vulnerability Analysis
This vulnerability represents a critical flaw in the trust model between the Unitree Go2 Android companion application and the robot's firmware. The application allows users to create custom programs containing Python code, which are stored locally in an SQLite database on the Android device. When a user triggers a program via a controller keybinding, the application transmits the program content to the robot without any cryptographic signing or integrity verification.
The robot's actuator_manager.py component receives this Python code and executes it directly with root privileges. Since there is no validation of the code's origin, authenticity, or content, an attacker with local access to the Android device can modify the stored program records in the unitree_go2.db database to inject malicious Python payloads.
A particularly concerning attack vector exists through the application's community marketplace feature. Malicious actors can share trojanized programs through this platform, and any user who imports and executes such a program will unknowingly run the attacker's code with root privileges on their robot. The malicious controller bindings persist across reboots, providing attackers with a persistent foothold.
Root Cause
The root cause of CVE-2026-27510 is the complete absence of integrity verification mechanisms in the program execution pipeline. The system fails to implement cryptographic signatures, hash validation, or any form of authentication to verify that program content has not been tampered with. The actuator_manager.py component blindly trusts all incoming Python code, treating the Android application as an implicitly trusted source without verifying the data's authenticity.
Attack Vector
The attack can be executed through two primary vectors:
Local Device Tampering: An attacker with physical or logical access to the victim's Android device can directly modify the SQLite database containing stored programs. By editing the pyCode field within the dog_programme table, attackers can inject arbitrary Python commands that execute when the legitimate user triggers the associated program binding.
Community Marketplace Poisoning: Attackers can create and publish malicious programs to the Unitree Go2 community marketplace. When unsuspecting users download and execute these programs, the embedded malicious Python code executes with root privileges on their robots. This represents a supply chain attack vector that could affect multiple victims simultaneously.
The vulnerability requires user interaction (the victim must trigger the program), but the network accessibility of the marketplace feature and the persistence of malicious bindings significantly amplify the risk. For detailed technical analysis, see the Boschko Analysis on Unitree GO2 RCE and the VulnCheck Advisory.
Detection Methods for CVE-2026-27510
Indicators of Compromise
- Unexpected modifications to the unitree_go2.db SQLite database on Android devices, particularly changes to the dog_programme table
- Unusual Python code patterns in stored programs, such as shell command execution, network connections, or file system operations
- Unauthorized processes running with root privileges on the Unitree Go2 robot
- Unexpected network connections originating from the robot to external IP addresses
Detection Strategies
- Monitor the unitree_go2.db database for unauthorized modifications using file integrity monitoring tools on rooted Android devices
- Implement network traffic analysis to detect suspicious outbound connections from Unitree Go2 robots
- Review community marketplace program downloads and compare against known-good hashes before execution
- Audit controller keybindings for unexpected or unfamiliar program associations
Monitoring Recommendations
- Enable logging on the Unitree Go2 robot to capture actuator_manager.py execution events and associated Python code
- Deploy network segmentation to isolate IoT devices including quadruped robots from sensitive network segments
- Regularly audit stored programs in the Android application for unexpected or suspicious content
- Monitor for privilege escalation attempts or unusual root-level activity on the robot platform
How to Mitigate CVE-2026-27510
Immediate Actions Required
- Avoid downloading and executing programs from the community marketplace until a patch is available
- Secure physical access to Android devices running the Unitree Go2 application
- Review and remove any suspicious or untrusted programs from the application's stored program list
- Consider isolating the Unitree Go2 robot on a separate network segment with restricted internet access
Patch Information
At the time of publication, no official patch has been released by Unitree. Users should monitor the Unitree GO2 Product Page for firmware updates that address this vulnerability. When a patch becomes available, users should immediately update both the robot firmware and the Android companion application to the latest versions.
Workarounds
- Disable or avoid using the community marketplace feature until integrity verification is implemented
- Only use programs created locally on trusted devices and verify the database has not been tampered with
- Implement additional access controls on the Android device to prevent unauthorized database modifications
- Consider factory resetting the robot and clearing all stored programs if compromise is suspected
# Verify database integrity (requires root access on Android device)
# Compare current database hash against known-good baseline
adb shell "md5sum /data/data/com.unitree.doggo2/databases/unitree_go2.db"
# Export and review stored programs for suspicious content
adb shell "sqlite3 /data/data/com.unitree.doggo2/databases/unitree_go2.db 'SELECT * FROM dog_programme;'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
