Hardcoded Credentials in Yarbo Firmware from Vendor
CVE-2026-7414

9.8CRITICAL

Key Information:

Vendor: Yarbo
Status: Firmware
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-7414?

The Yarbo firmware version 2.3.9 contains hardcoded administrative credentials that are the same across all devices running this firmware. These credentials cannot be changed or removed by end users, posing a significant risk as anyone with knowledge of these credentials can easily gain unauthorized access to the device management interfaces. This vulnerability highlights the importance of secure credential management in firmware development.

Affected Version(s)

Firmware 0 <= 2.3.9

References

https://github.com/Bin4ry/yarbo-nat-in-my-back-yard

third-party-advisory

https://takeonme.org/gcves/GCVE-1337-2026-000000000000000...

third-party-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Andreas Makris (aka Bin4ry)

todb of AHA!

CVE-2026-7414 Data

JSON