Home / Vulnerability Intelligence / CVE-2026-7415

CVE-2026-7415 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 7, 2026

Yarbo - Broken Access Control

Published: May 7, 2026Updated: May 7, 2026Remote Exploitable

Overview

Yarbo firmware v2.3.9 contains a broken access control vulnerability caused by MQTT broker allowing anonymous connections with no topic-level ACLs, letting any network host subscribe or publish sensitive telemetry and control messages without authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Any network host can control the robot or access sensitive telemetry, potentially leading to unauthorized control or data exposure.

Mitigation

Update to the latest firmware version with proper MQTT authentication and topic-level ACLs.

References

https://github.com/Bin4ry/yarbo-nat-in-my-back-yard
https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000000111111111100111111111110000000000000000000000000000000000000000000000000000001001

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-7415
Severity: Critical
CVSS Score: 9.8
Type: broken_access_control
Status: unconfirmed

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H