CVE-2026-10557 CRITICAL

CVE-2026-10557: Yarbo Android/iOS Mobile Application and Cloud Infrastructure Use of Hard-coded Credentials

Vendor Yarbo
Product Yarbo Android/IOS mobile application
Weakness CWE-798 · Hardcoded credentials
Published June 12, 2026
Last update June 12, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 12, 2026 Record updated