PatchSiren cyber security CVE debrief
CVE-2026-7368 Yarbo CVE debrief
The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot's command topic using only the robot's serial number (disclosed in the telemetry stream). Even after removal of hard-coded credentials from the app, a single compromised credential could still provide fleet-wide access without per-device access controls.
- Vendor
- Yarbo
- Product
- Yarbo Android/IOS mobile application
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Yarbo cloud and administrators of robot fleets using Yarbo cloud should be aware of this vulnerability and take immediate action to secure their systems.
Technical summary
The Yarbo cloud lacks per-device and per-user authorization, allowing clients with valid credentials to access all robots globally and publish to any robot's command topic.
Defensive priority
HIGH
Recommended defensive actions
- Implement per-device and per-user authorization in the Yarbo cloud.
- Remove or rotate hard-coded credentials.
- Monitor robot telemetry streams for unauthorized access.
- Restrict access to command topics using robot serial numbers.
Evidence notes
The CVE-2026-7368 record and NVD detail provide information on this vulnerability.
Official resources
CVE-2026-7368 was published on 2026-06-12T15:16:32.290Z and modified on 2026-06-12T16:06:47.720Z.