HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-10557Published Modified CNA icscert

CVE-2026-10557: Yarbo Android/iOS Mobile Application and Cloud Infrastructure Use of Hard-coded Credentials

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
3.17.4
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Hard-coded credential vulnerability in the Yarbo Android and iOS mobile applications allows any unauthenticated attacker with network access to extract identical MQTT broker credentials from the application binary and use them against Yarbo's cloud infrastructure. The credentials are embedded in all app versions below 3.17.4 and are trivially recoverable via APK decompilation, requiring no special skill or account. Successful exploitation gives an attacker the ability to read real-time telemetry from any Yarbo robot in the global fleet and send commands to any device using only its serial number. A patched-image rebuild at version 3.17.4 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-10557 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle the Yarbo mobile application or any containerized component of the Yarbo cloud stack. Any image carrying a vulnerable version below 3.17.4 is flagged automatically in customer registries and CI/CD pipelines.

Available
Triage

HarborGuard scores this CVE at 9.3 CVSS v4.0 (Critical) and surfaces it with that severity weighting applied against each customer's compliance policy, so teams with stricter thresholds for internet-facing or IoT-adjacent workloads receive appropriately elevated priority. Findings are routed to the inbox or ticketing integration configured for each environment, ensuring the right team sees the alert without manual triage overhead.

Available
Patch

A patched-image rebuild at version 3.17.4 becomes available on HarborGuard for any environment running an affected version of the Yarbo application. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the fix version, runs regression tests against the rebuilt image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach Yarbo's cloud MQTT brokers over the internet; the vulnerable service is network-exposed and reachable from any internet-connected host.

  • AuthenticationNot required

    No account or credential is needed beyond what is already embedded in the application binary; the hard-coded credentials themselves supply full broker access.

  • Victim interactionNot required

    Exploitation is entirely attacker-driven and requires no action from any Yarbo user or device owner.

  • Attack complexityDetail

    The exploit is reliable and condition-free; extracting credentials requires only standard APK decompilation tooling and no timing constraints or environmental dependencies.

Blast Radius

  • Reads real-time telemetry from every Yarbo robot in the global fleet by subscribing to wildcard MQTT topics, exposing GPS location, operational state, and sensor data for all devices.
  • Publishes arbitrary commands to any individual robot's command topic using only its serial number, enabling unauthorized control of physical robot behavior.
  • Tampers with command streams in a way that persists until the device reconnects or receives a corrective command, disrupting normal operation across any targeted subset of the fleet.
  • Enumerates active serial numbers passively from the telemetry stream, building a target list of devices without any interaction with device owners.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10557 is active across all customer environments as of the CVE's publication date, matching any image that bundles a Yarbo application version below 3.17.4. For customers who opt into auto-remediation, HarborGuard rebuilds the image at version 3.17.4, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Note that the Yarbo Cloud MQTT infrastructure itself is listed as affected across all versions; where that component is deployed or mirrored as a container image in customer environments, HarborGuard will flag it and track upstream advisory updates for infrastructure-side fixes. Where compliance policy permits, customers may also apply compensating controls in the interim, such as network-policy isolation to restrict outbound MQTT traffic from application containers to known-safe broker endpoints.

See how HarborGuard automates this

Fix available

3.17.4
Affected packages
  • Yarbo / Yarbo Android/IOS mobile application
    < 3.17.4 (from 0)
  • Yarbo / Yarbo Cloud MQTT infrastructure
    All
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References