SECURITY researchers have identified critical vulnerabilities in the Yarbo robot's mobile apps. The first vulnerability (CVE-2026-10557) involves hard-coded MQTT credentials common across all devices, allowing attackers to exploit and control the entire robot fleet by simply decompiling the app. The second issue (CVE-2026-7368) is a lack of authorization checks, granting valid users access to every robot after logging in.
Users are advised to update to version 3.17.4 of the app, and fixes will be implemented automatically via a future cloud update. Both vulnerabilities exemplify common security flaws in connected devices.