External risk intelligence

Yarbo Robot Fleet Credentials Leakness

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-10557

The Yarbo mobile applications contain hard-coded credentials that provide access to cloud MQTT brokers. These brokers carry real-time telemetry for the global Yarbo robot fleet, and the credentials allow unauthorized subscription to telemetry and publishing of commands to any robot. This vulnerability is critical becau

3Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-10557

The vulnerability involves hard-coded credentials within mobile applications that interact with cloud-based MQTT brokers. While these brokers are network-reachable, they typically function as backend infrastructure rather than direct public-facing web services or management portals, making their direct exposure to arbitrary internet actors dependent on specific cloud deployment architectures.

PCI scan relevance

PCI Relevance for CVE-2026-10557

Yes

CVE-2026-10557 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability involves hard-coded, universally shared MQTT credentials, allowing unauthorized access to sensitive telemetry and control of all devices. This type of authentication bypass is considered an automatic fail for PCI ASV scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

The Yarbo mobile applications for Android and iOS have a critical security flaw due to hard-coded, identical credentials for their cloud-based messaging system. This allows anyone with the application to potentially access real-time robot data and send commands to the global fleet. The main concern is to confirm if this technology is in use and if it is exposed.

  • Hard-coded secrets in app allow fleet control.
  • This could expose robot operations and data.
  • Confirm if Yarbo apps are deployed.

Attack Path

How an attacker could exploit the issue

An attacker could extract hard-coded MQTT credentials from the Yarbo mobile application, then use these credentials to access cloud brokers. From there, they could subscribe to telemetry data from any robot in the fleet or send commands to individual robots if the robot's serial number is known.

  • Obtain credentials from app binary.
  • Connect to cloud MQTT brokers.
  • Monitor telemetry or send commands.

Live Threat

Current exploitation, exposure, and threat context

Hard-coded, identical MQTT broker credentials within the Yarbo applications could allow an attacker to access real-time telemetry for the global robot fleet. With just a robot's serial number, an attacker could subscribe to all telemetry data or publish commands to any robot.

  • Robot telemetry and command channels at risk.
  • Credentials extractable via app decompilation.
  • Unauthorized control or data interception possible.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The Yarbo mobile application's hard-coded MQTT credentials expose sensitive telemetry and command channels. Initial triage should focus on identifying all deployed Yarbo applications, assessing their network reachability and criticality, and locating the accountable business or platform owners. Subsequent planning will depend on these findings and the need for vendor coordination or risk reduction measures.

  • Identify all Yarbo application instances.
  • Verify network exposure and criticality.
  • Engage vendor for patch deployment.

Frequently asked questions

What is the Yarbo application?

Yarbo produces autonomous yard robots, such as snow blowers or lawn mowers, which users manage through mobile applications. These apps for Android and iOS act as the control interface, allowing owners to monitor telemetry data and send operational commands to their robots via cloud-based messaging services.

What is the weakness class for CVE-2026-10557?

This vulnerability is classified as CWE-798, which refers to the use of hard-coded credentials. In this case, the application contains static, identical authentication secrets embedded directly within its binary code. Because these credentials are the same for all users, they do not provide unique access, allowing anyone who decompiles the app to retrieve them.

How does an attacker trigger this vulnerability?

An attacker triggers this by first extracting the hard-coded credentials from the Yarbo application binary. Once they possess these secrets, they can connect to the cloud MQTT brokers used by the fleet. Simply possessing the app or a robot does not trigger the bug; the risk arises only when an unauthorized actor uses these extracted credentials to actively communicate with the cloud infrastructure.

Is my organization at risk from this vulnerability?

According to Halo Surface Signal, this risk depends on your cloud deployment architecture. While the MQTT brokers are network-reachable, they function as backend infrastructure rather than direct public-facing management portals. If your environment relies on these specific cloud services for robot communication, you may be affected, even if the service is not directly exposed as a web interface.

What should I do if I use Yarbo applications?

Start by identifying all instances of Yarbo mobile applications currently in use within your environment. Verify how these devices interact with your network and assess the criticality of the data involved. Once identified, contact the vendor to coordinate on authorized updates or patches to resolve the use of hard-coded credentials.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished