Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged
Permalink CVE-2026-7415
9.8 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 2 months ago Activity log
  • Created suggestion
Open MQTT orchestration without read/write ACLs in Yarbo robot firmware

The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind.

Affected products

Firmware
  • =<2.3.9

Matching in nixpkgs

pkgs.zd1211fw

Firmware for the ZyDAS ZD1211(b) 802.11a/b/g USB WLAN chip

  • nixos-unstable 1.5
    • nixpkgs-unstable 1.5
    • nixos-unstable-small 1.5

pkgs.uefi-firmware-parser

Tool for parsing, extracting, and recreating UEFI firmware volumes

  • nixos-unstable 1.13
    • nixpkgs-unstable 1.13
    • nixos-unstable-small 1.13

Package maintainers