A high-severity authorization vulnerability in the Yarbo cloud platform allows any authenticated user to send commands to any robot globally using only its serial number.

The Yarbo cloud service suffers from an authorization flaw where it does not enforce per-device or per-user checks. This allows any user with valid credentials to subscribe to wildcard topics and issue commands to any robot by simply knowing its serial number.

The CVSS score of 8.1 reflects the severe risk of unauthorized control over physical robotic hardware. Exploitation could allow attackers to remotely operate or disable robots globally, leading to potential property damage, privacy concerns, or significant operational disruption for users of the Yarbo system.

Immediate Action: Update the Yarbo mobile app to version 3.17.4 or later and ensure that all associated cloud services have been updated to the May 2026 release.

Proactive Monitoring: Review account activity logs for suspicious commands or unauthorized attempts to interact with devices not associated with the user's account.

Compensating Controls: Ensure that all mobile devices are protected by strong, unique passwords and enable two-factor authentication where available to protect the base account.

Public Exploit Available: False

All users and administrators of the Yarbo ecosystem must ensure the mobile application is updated to the latest version. Given the nature of the vulnerability, which persists beyond the removal of hard-coded credentials, applying the server-side and client-side updates is the only way to effectively secure the device ecosystem.