HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-7368Published Modified CNA icscert

CVE-2026-7368: Yarbo Android/iOS Mobile Application and Cloud Infrastructure Missing Authorization

The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot's command topic using only the robot's serial number (disclosed in the telemetry stream). Even after removal of hard-coded credentials from the app, a single compromised credential could still provide fleet-wide access without per-device access controls.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
3.17.4
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Missing authorization in the Yarbo Android/iOS mobile application and Yarbo Cloud MQTT infrastructure allows any authenticated client to subscribe to wildcard MQTT topics covering every robot in the global fleet and publish commands to any individual robot using only its serial number. The vulnerability is reachable over the network and requires only low-privilege credentials, meaning a single compromised account is sufficient to gain fleet-wide control without any per-device access check. Successful exploitation enables an attacker to read telemetry from and issue commands to any Yarbo robot globally, and a patched-image rebuild at version 3.17.4 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including ICS-CERT advisories) within minutes of publication and matched against customer images containing the affected Yarbo application components, including custom-built images that bundle the Yarbo mobile app or cloud connector. Coverage extends to both the mobile application package and any containerized MQTT infrastructure components present in customer registries.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS v4.0 8.6 (HIGH) and weighting it against each customer environment's per-environment compliance policy to prioritize accordingly. Triage routing directs findings to the appropriate team inbox within each customer organization based on configured ownership rules for IoT, cloud infrastructure, or mobile application workloads.

Available
Patch

A patched-image rebuild at version 3.17.4 is available on HarborGuard for any environment running an affected version of the Yarbo application or cloud components. For customers who opt into auto-remediation, HarborGuard performs a rebuild, runs the configured regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Yarbo Cloud MQTT broker over the network; the service is internet-exposed by design for remote robot management.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker needs only a single set of valid credentials, including the previously hard-coded shared credentials or any one legitimately issued per-user credential.

  • Victim interactionNot required

    No user action is needed; the attacker interacts directly with the MQTT broker without involving any other user.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: no race conditions or special environmental factors are required, and robot serial numbers needed to target specific devices are disclosed in the telemetry stream.

Blast Radius

  • Reads live telemetry from every robot in the global Yarbo fleet by subscribing to wildcard MQTT topics, exposing location, status, and operational data for all devices.
  • Issues arbitrary commands to any individual robot using only its serial number, enabling unauthorized control of physical robotic equipment across all customer deployments.
  • A single compromised low-privilege credential exposes the entire fleet, meaning account takeover of any one user account removes all device-level access boundaries.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-7368 is matched against customer images within minutes of publication, covering containerized Yarbo application and MQTT infrastructure components in any registry or build pipeline. For environments running a version below 3.17.4, a patched-image rebuild at the fix version is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the affected image, runs a regression test pass, and opens a pull request against the affected workload; for HIGH-severity issues, median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. Given the severity of fleet-wide authorization bypass and the fact that the Yarbo Cloud MQTT infrastructure has no fix version listed, customers running that component should consider network-policy isolation of MQTT broker access, egress filtering to restrict which workloads can reach the broker, and per-device topic ACL enforcement as compensating controls while awaiting a full infrastructure-side fix. HarborGuard re-checks the advisory each ingest cycle and will surface a patched rebuild for the cloud infrastructure component the moment an upstream fix is published.

See how HarborGuard automates this

Fix available

3.17.4
Affected packages
  • Yarbo / Yarbo Android/IOS mobile application
    < 3.17.4 (from 0)
  • Yarbo / Yarbo Cloud MQTT infrastructure
    All
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References