Hardcoded MQTT credentials in Yarbo mobile applications allow unauthenticated attackers to access real-time telemetry and send commands to the entire global robot fleet.

The application contains identical hardcoded MQTT broker credentials across all devices. These credentials can be extracted via APK decompilation, granting attackers the ability to subscribe to telemetry topics and publish commands to any robot using its serial number.

With a CVSS score of 9.8, this vulnerability represents a massive risk to user privacy and physical device security. Unauthorized command execution could lead to physical damage to the robots or the misuse of private household data, resulting in severe brand damage and liability.

Immediate Action: Update the Yarbo mobile app to version 3.17.4 or later and ensure server-side updates from the May 2026 broker authorization release are applied.

Proactive Monitoring: Monitor cloud MQTT logs for unauthorized subscription requests or command traffic that does not correspond to legitimate user activity.

Compensating Controls: If the update cannot be applied, consider limiting network access to the robot's control interface from untrusted networks.

Public Exploit Available: True

The reliance on hardcoded credentials for cloud connectivity is a critical failure. Users and administrators must update both the mobile application and ensure the backend infrastructure has been patched to mitigate this unauthorized access vulnerability.