A security researcher has disclosed an alleged cloud security vulnerability that could allow someone with a certificate extracted from certain Shark robot vacuums to execute commands on other compatible Shark robots within the same Amazon Web Services region.
According to the researcher, who publishes under the handle tokay0, the primary flaw is an overly permissive AWS IoT policy associated with some Shark device certificates. If exploited, the vulnerability could potentially allow an attacker to control affected robots and, on compatible models, access live camera feeds, stored home maps, and Wi-Fi credentials.

What Is the Shark Robot Vacuum Vulnerability?
The researcher says some Shark device certificates had broader cloud permissions than intended, allowing them to communicate with devices other than the intended robot. This type of cloud authorization issue is similar to a previously disclosed vulnerability affecting DJI robot vacuums. We covered that incident, along with other notable robot vacuum security and privacy cases, in our guide to robot vacuum security.
While monitoring one AWS region for 24 hours, the researcher observed more than 1.5 million unique Shark device serial numbers. Approximately 44% of the devices emitted a response associated with the command feature, which the researcher interpreted as evidence that those devices supported the relevant command handler.
The researcher observed those devices communicating with the cloud service rather than individually testing or compromising them. There is currently no public evidence that attackers have exploited the vulnerability against Shark customers.

Has SharkNinja Released a Fix?
According to the disclosure, the researcher first reported to SharkNinja in March 2026 and publicly disclosed in July after the researcher concluded it remained unresolved. At the time of publication, no CVE had been assigned, and SharkNinja had not published a response.
SharkNinja’s Vulnerability Disclosure Policy states that the company will provide regular updates for reported vulnerabilities affecting connected products until they are resolved. The report claims the issue can be corrected through changes to SharkNinja’s AWS cloud configuration and should not require a firmware update for customers.
Top 20 Robot Vacuums
Explore Vacuum Wars’ always up-to-date rankings of the best robot vacuums, based on independent, hands-on testing. We purchase every unit ourselves and have evaluated more than 150 models, giving us a deep benchmark for cleaning performance, navigation, battery life, and advanced features like obstacle avoidance and mopping.
Shark Robot Vacuum Buyers Guide 2026
We outline the key distinctions among Shark robot vacuums so you can determine which features are worth the extra cost and which ones you can pass on. Whether you’re interested in a budget-friendly option or a premium model with state-of-the-art features, we’ll walk you through the essential details to help you select a Shark robot vacuum that suits both your home and your budget. See the Guide




