Skip to main content

Px4 Autopilot CVE-2026-32709

MEDIUM
Path Traversal (CWE-22)
2026-03-13 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 13, 2026 - 22:01 vuln.today
CVE Published
Mar 13, 2026 - 21:19 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem without authentication. On NuttX targets, the FTP root directory is an empty string, meaning attacker-supplied paths are passed directly to filesystem syscalls with no prefix or sanitization for read operations. On POSIX targets (Linux companion computers, SITL), the write-path validation function unconditionally returns true, providing no protection. A TOCTOU race condition in the write validation on NuttX further allows bypassing the only existing guard. This vulnerability is fixed in 1.17.0-rc2.

AnalysisAI

An unauthenticated path traversal vulnerability in PX4 Autopilot's MAVLink FTP implementation (CWE-22) allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on flight controller filesystems without authentication or privilege requirements. Affected versions are prior to 1.17.0-rc2, impacting both NuttX-based flight controllers and POSIX targets (Linux companion computers and SITL simulation environments). Attackers with network access to MAVLink communication channels can exploit this vulnerability to compromise flight controller integrity, extract sensitive configuration data, or inject malicious firmware.

Technical ContextAI

PX4 Autopilot is an open-source flight control software that implements the MAVLink protocol for communication between ground stations and unmanned aerial vehicles. The vulnerability exists in the MAVLink FTP server implementation, which is designed to allow remote file operations over the MAVLink communication protocol. The root cause is improper input validation in path handling: on NuttX targets, the FTP root directory is defined as an empty string, causing attacker-supplied paths to be passed directly to filesystem syscalls without sanitization or prefix validation. On POSIX targets (Linux), the write-path validation function unconditionally returns true, providing zero protection against path traversal. Additionally, a time-of-check-time-of-use (TOCTOU) race condition exists in NuttX write validation, allowing attackers to bypass the only existing guard by modifying filesystem state between validation and execution. This falls squarely under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a classic path traversal vulnerability class. The vulnerability affects PX4 Autopilot versions prior to 1.17.0-rc2 across all platforms running this autopilot software (CPE: cpe:2.3:a:px4:px4_autopilot).

RemediationAI

Upgrade PX4 Autopilot to version 1.17.0-rc2 or later immediately, as this is the official patched release addressing the path traversal and TOCTOU vulnerabilities. The upgrade process depends on your specific flight controller hardware; consult PX4 documentation at https://docs.px4.io/main/en/advanced_config/parameters.html for platform-specific upgrade procedures. For interim mitigation while upgrading is not feasible, restrict MAVLink communication to trusted ground stations only by implementing network segmentation and firewall rules to limit MAVLink peer access (typically UDP port 14550 or 14570). Disable MAVLink FTP functionality if it is not operationally required by adjusting the MAV_FWDEXT_ENABLED parameter or equivalent configuration. Additionally, operate UAVs in isolated network environments when possible, avoiding uncontrolled wireless access to the MAVLink command interface. Monitor flight controller logs for suspicious file operation attempts via MAVLink FTP.

Share

CVE-2026-32709 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy