DroneAware CVE-2026-48117
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
AC:H reflects the timing prerequisite of registering before the victim; UI:R captures required victim activation; C:H/I:H reflect full account takeover; A:N as availability is unaffected.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account using a victim's email address with an attacker-controlled password before the victim completed account activation. When the legitimate owner later activated the account, either by clicking the email verification link or by logging in via Google SSO, the attacker-set password became fully valid, enabling silent and persistent account takeover without any notification to the victim. The vulnerability was fixed server-side on 2025-05-20; no user action is required. Node binaries and self-hosted detection nodes are not affected. There are no workarounds; the fix was deployed server-side and no client-side mitigation is applicable.
AnalysisAI
Account pre-hijacking in the centralized droneaware.io cloud platform allowed unauthenticated attackers to register an account using a victim's email address with an attacker-controlled password prior to the victim completing account activation. Once the legitimate owner activated their account - either via an email verification link or by authenticating through Google SSO - the attacker-set password remained fully valid, granting silent and persistent account takeover with no notification to the victim. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must know the victim's email address before the victim completes account registration on droneaware.io. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.8 (Medium) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N accurately reflects the dual constraint on this vulnerability: the attack is fully remote and requires no attacker privileges (PR:N), but both AC:H and UI:R significantly limit exploitability in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who knows a target's email address (e.g., from a corporate directory, public profile, or phishing intelligence) registers a new DroneAware account at droneaware.io using that email before the victim does, supplying an attacker-controlled password. When the legitimate user later signs up and activates their account - either by clicking the email verification link or by authenticating via Google SSO - the platform activates the account without invalidating or replacing the attacker-set credential. … |
| Remediation | The vendor deployed a server-side fix to the centralized droneaware.io backend on 2025-05-20; no client-side action, patch installation, or configuration change is required by users. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today