Hard-coded MQTT broker credentials in Yarbo robot apps expose global fleet to remote control (CVE-2026-10557)
critical-cve-against-infra · active
The Yarbo Android and iOS apps embed hard-coded MQTT broker credentials that are identical for every user and device and can be extracted by decompiling the app. With these credentials anyone can subscribe to all robot telemetry and send commands to any robot in the global fleet using only its serial number.