CVE-2026-1442
Received Received - Intake
Firmware Update Encryption Flaw in Unitree Products Enables Tampering

Publication date: 2026-02-27

Last updated on: 2026-03-11

Assigner: Austin Hackers Anonymous

Description
Since the encryption algorithm used to protect firmware updates is itself encrypted using key material available to an attacker (or anyone paying attention), the firmware updates may be altered by an unauthorized user, and then trusted by a Unitree product, such as the Unitree Go2 and other models. This issue appears to affect all of Unitree’s current offerings as of February 26, 2026, and so should be considered a vulnerability in both the firmware generation and extraction processes. At the time of this release, there is no publicly-documented mechanism to subvert the update process and insert poisoned firmware packages without the equipment owner’s knowledge.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-02-27
EPSS Evaluated
2026-05-05
NVD
CVE-2026-1442
EUVD
EUVD-2026-8994
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
unitree go2_edu_standard_firmware *
unitree go2_air_firmware *
unitree go2_pro_firmware *
unitree go2_x_firmware *
unitree go1_air_firmware *
unitree go1_pro_firmware *
unitree go2_edu_plus_firmware *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the encryption algorithm used to protect firmware updates for Unitree products, such as the Unitree Go2. The encryption itself is protected using key material that is accessible to an attacker or anyone paying attention. Because of this, an unauthorized user can alter the firmware updates, and these altered updates may still be trusted and accepted by the device.

The issue affects both the firmware generation and extraction processes and applies to all current Unitree offerings as of February 26, 2026.

At the time of the report, there is no publicly documented way to bypass the update process to insert malicious firmware without the equipment owner's knowledge.


How can this vulnerability impact me? :

This vulnerability can have serious impacts because an attacker can alter firmware updates and have the device accept and run them. This can lead to unauthorized code execution on the device.

The CVSS score of 7.8 indicates a high severity, with potential impacts including confidentiality, integrity, and availability being compromised.

  • Confidentiality: Sensitive data on the device could be exposed.
  • Integrity: The device's firmware can be tampered with, potentially causing it to behave maliciously or incorrectly.
  • Availability: The device could be disrupted or rendered inoperable.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart