Px4 Autopilot
CVE-2026-32709
MEDIUM
Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without authentication. On NuttX targets, the FTP root directory is an empty string, meaning attacker-supplied paths are passed directly to filesystem syscalls with no prefix or sanitization for read operations. On POSIX targets (Linux companion computers, SITL), the write-path validation function unconditionally returns true, providing no protection. A TOCTOU race condition in the write validation on NuttX further allows bypassing the only existing guard. This vulnerability is fixed in 1.17.0-rc2.
AnalysisAI
An unauthenticated path traversal vulnerability in PX4 Autopilot's MAVLink FTP implementation (CWE-22) allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on flight controller filesystems without authentication or privilege requirements. Affected versions are prior to 1.17.0-rc2, impacting both NuttX-based flight controllers and POSIX targets (Linux companion computers and SITL simulation environments). Attackers with network access to MAVLink communication channels can exploit this vulnerability to compromise flight controller integrity, extract sensitive configuration data, or inject malicious firmware.
Technical ContextAI
PX4 Autopilot is an open-source flight control software that implements the MAVLink protocol for communication between ground stations and unmanned aerial vehicles. The vulnerability exists in the MAVLink FTP server implementation, which is designed to allow remote file operations over the MAVLink communication protocol. The root cause is improper input validation in path handling: on NuttX targets, the FTP root directory is defined as an empty string, causing attacker-supplied paths to be passed directly to filesystem syscalls without sanitization or prefix validation. On POSIX targets (Linux), the write-path validation function unconditionally returns true, providing zero protection against path traversal. Additionally, a time-of-check-time-of-use (TOCTOU) race condition exists in NuttX write validation, allowing attackers to bypass the only existing guard by modifying filesystem state between validation and execution. This falls squarely under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a classic path traversal vulnerability class. The vulnerability affects PX4 Autopilot versions prior to 1.17.0-rc2 across all platforms running this autopilot software (CPE: cpe:2.3:a:px4:px4_autopilot).
RemediationAI
Upgrade PX4 Autopilot to version 1.17.0-rc2 or later immediately, as this is the official patched release addressing the path traversal and TOCTOU vulnerabilities. The upgrade process depends on your specific flight controller hardware; consult PX4 documentation at https://docs.px4.io/main/en/advanced_config/parameters.html for platform-specific upgrade procedures. For interim mitigation while upgrading is not feasible, restrict MAVLink communication to trusted ground stations only by implementing network segmentation and firewall rules to limit MAVLink peer access (typically UDP port 14550 or 14570). Disable MAVLink FTP functionality if it is not operationally required by adjusting the MAV_FWDEXT_ENABLED parameter or equivalent configuration. Additionally, operate UAVs in isolated network environments when possible, avoiding uncontrolled wireless access to the MAVLink command interface. Monitor flight controller logs for suspicious file operation attempts via MAVLink FTP.
More in Px4 Autopilot
View allStack overflow vulnerability in PX4 autopilot drone flight control software (versions prior to 1.17.0-rc2) where the Zen
Buffer overflow vulnerability in PX4 autopilot drone firmware versions before 1.17.0-rc2 that allows adjacent network at
PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that
PX4 Autopilot versions prior to 1.17.0-rc1 contain a heap-use-after-free vulnerability in the MavlinkShell::available()
PX4 autopilot versions prior to 1.17.0-rc2 contain an unbounded memcpy vulnerability in the tattu_can module that allows
PX4 Autopilot prior to version 1.17.0-rc2 contains a boolean logic error in MAVLink FTP session validation that uses AND
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today