CVE-2026-7368 HIGH

CVE-2026-7368: Yarbo Android/iOS Mobile Application and Cloud Infrastructure Missing Authorization

Vendor Yarbo
Product Yarbo Android/IOS mobile application
Weakness CWE-862 · Missing authorization
Published June 12, 2026
Last update June 12, 2026
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot's command topic using only the robot's serial number (disclosed in the telemetry stream). Even after removal of hard-coded credentials from the app, a single compromised credential could still provide fleet-wide access without per-device access controls.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 12, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-59561 WordPress Smart Blocks Plugin <= 2.4 - Broken Access Control Vulnerability CVE-2025-31065 WordPress Rozario <= 1.4 - Broken Access Control Vulnerability CVE-2025-15406 PHPGurukul Online Course Registration authorization CVE-2025-30543 WordPress Menu Duplicator plugin <= 1.0 - Broken Access Control vulnerability CVE-2025-1326 Homey - Booking and Rentals WordPress Theme <= 2.4.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Reservation & Post Deletion